<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:PMingLiU;
panose-1:2 2 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.gmail-nc
{mso-style-name:gmail-nc;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Courier;}
span.m6182268411284431591apple-converted-space
{mso-style-name:m_6182268411284431591apple-converted-space;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Our RS is running inside Node.js (JavaScript server side) and we coded this particular check ourselves. We thought that somehow the signing kid was a global configuration, not on a per
JWS basis. In any case, using the kid from the JWS header works for us. Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Luiz<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black">Yannick Béot <yannick.beot@gmail.com></span><span style="font-family:PMingLiU;color:black"><br>
</span><b><span style="font-family:Calibri;color:black">Date: </span></b><span style="font-family:Calibri;color:black">Tuesday, October 11, 2016 at 4:59 PM<br>
<b>To: </b>Justin Richer <jricher@mit.edu><br>
<b>Cc: </b>Luiz Omori <luiz.omori@duke.edu>, "mitreid-connect@mit.edu" <mitreid-connect@mit.edu><br>
<b>Subject: </b>Re: [mitreid-connect] JWT Signatures - which public key?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If you use <span class="gmail-nc">JWSVerificationKeySelector from Nimbus to check the JWT (as stated
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__connect2id.com_products_nimbus-2Djose-2Djwt_examples_validating-2Djwt-2Daccess-2Dtokens&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=6F7yjN0wgEl_CYid2eWsI8xveHuVk4RE3NYQxcjdSoM&s=tFDYtn7C5PUKcbusa9DPhhy7Ko1MuRUZR85J12mqRww&e=">
http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens</a>), you should be fine.</span>.
<o:p></o:p></p>
<pre style="margin-bottom:12.0pt"><code>JWSKeySelector</code><code><span style="font-family:Arial"> is filtering keys with a</span> JWKMatcher </code><code><span style="font-family:Arial">which checks the kid</span> (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_connect2id_nimbus-2Djose-2Djwt_src_3810eb0a96565e7768cd54bf734dfea373ecc561_src_main_java_com_nimbusds_jose_jwk_JWKMatcher.java-3Fat-3D4.15-26fileviewer-3Dfile-2Dview-2Ddefault-23JWKMatcher.java-2D562&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=6F7yjN0wgEl_CYid2eWsI8xveHuVk4RE3NYQxcjdSoM&s=laj0o_YVQJh6OzgvRqLpHyzluSrcC4ZIjvrQpelH92U&e=">https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562</a>) </code><br><br><span class="gmail-nc">JWSVerificationKeySelector </span><span class="gmail-nc"><span style="font-family:Arial">is responsible for creating the </span></span><code>JWKMatcher </code><code><span style="font-family:Arial">based on information from the signature, and especially the kid</span> (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_connect2id_nimbus-2Djose-2Djwt_src_3810eb0a96565e7768cd54bf734dfea373ecc561_src_main_java_com_nimbusds_jose_proc_JWSVerificationKeySelector.java-3Fat-3D4.15-26fileviewer-3Dfile-2Dview-2Ddefault-23JWSVerificationKeySelector.java-2D70&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=6F7yjN0wgEl_CYid2eWsI8xveHuVk4RE3NYQxcjdSoM&s=ljwFpDh_GbDtxpk2ZAElJXa9gHzdbY9Bq9MADOknGPA&e=">https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70</a>)</code><o:p></o:p></pre>
<pre><code><span style="font-family:Arial">@Luiz: what are you using to validate the token?</span> </code><o:p></o:p></pre>
<pre style="margin-bottom:12.0pt"><o:p> </o:p></pre>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Oct 11, 2016 at 9:13 PM, Justin Richer <<a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">The “kid” will be in the header of the JWT you’re validating. I think we’ve got a long-standing issue to enforce that check in the client library, but it should still work as-is.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> — Justin<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">On Oct 11, 2016, at 12:27 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">Well, which “kid” value should we look for? I checked the <root>/.well-known/openid-configuration and although it lists the jwk endpoint we couldn’t find the “kid”
anywhere. Does it mean this info has to be transmitted offline?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">{<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "keys":[<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> {<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "alg":"RS256",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "e":"xxx",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "n":"xxx”,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "kty":"RSA",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "use":"enc",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <span class="m6182268411284431591apple-converted-space"> </span><b><span style="color:red">"kid":"<a href="http://mc.duke.edu/" target="_blank"><span style="color:#954F72">mc.duke.edu</span></a>"</span></b><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> },<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> {<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "e":"xxx",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "n":"xxx”,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "kty":"RSA",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <span class="m6182268411284431591apple-converted-space"> </span><b><span style="color:red">"kid":"Test1"</span></b><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> },<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> {<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "e":"xxx",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "n":"xxx”,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "kty":"RSA",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <span class="m6182268411284431591apple-converted-space"> </span><b><span style="color:red">"kid":"Test2"</span></b><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> },<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> {<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "e":"xxx",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "n":"xxx",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> "kty":"RSA",<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <span class="m6182268411284431591apple-converted-space"> </span><b><span style="color:red">"kid":"rsa1"</span></b><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> ]<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">}<span class="m6182268411284431591apple-converted-space"> </span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:Calibri">From:<span class="m6182268411284431591apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:Calibri">"<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>"
<<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>><br>
<b>Date:<span class="m6182268411284431591apple-converted-space"> </span></b>Tuesday, October 11, 2016 at 12:16 PM<br>
<b>To:<span class="m6182268411284431591apple-converted-space"> </span></b>Luiz Omori <<a href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>>, "<a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>><br>
<b>Subject:<span class="m6182268411284431591apple-converted-space"> </span></b>RE: [mitreid-connect] JWT Signatures - which public key?<o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt"> </span><span style="font-size:11.0pt;font-family:Calibri"><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">There is a key id present in the header that is interpreted by Nimbus:<span class="m6182268411284431591apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&e=" target="_blank"><span style="color:#954F72">https://tools.ietf.org/html/rfc7515#section-4.1.4</span></a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">You should use it to differentiate the keys.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">Envoyé de mon téléphone Windows 10<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:Calibri">De :<span class="m6182268411284431591apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:Calibri"><a href="mailto:luiz.omori@duke.edu" target="_blank"><span style="color:#954F72">Luiz
Omori</span></a><br>
<b>Envoyé le :</b>mardi 11 octobre 2016 18:04<br>
<b>À :<span class="m6182268411284431591apple-converted-space"> </span></b><a href="mailto:mitreid-connect@mit.edu" target="_blank"><span style="color:#954F72">mitreid-connect@mit.edu</span></a><br>
<b>Objet :</b>[mitreid-connect] JWT Signatures - which public key?<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">Hi,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">In our implementation, the RS upon receiving a request it first validates the access token signature locally before introspecting it. To perform the signature validation
we use a previously retrieved public key. The issue we are facing is that in our case the <root>/jwk endpoint is returning multiple keys. How do we figure out which one should be used? Should we check the “use” field? If yes, is there a standard value to check
for? <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">Regards,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri">Luiz<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:Calibri"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica;background:white">_______________________________________________</span><span style="font-size:9.0pt;font-family:Helvetica"><br>
<span style="background:white">mitreid-connect mailing list</span><br>
<span style="background:white"><a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a></span><br>
<span style="background:white"><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_mitreid-2Dconnect&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=6F7yjN0wgEl_CYid2eWsI8xveHuVk4RE3NYQxcjdSoM&s=7ejLTX6oRpokbqgf2zKEwsyh0_vbbBcW4c8HJgyMWZM&e=" target="_blank">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></span></span><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>