<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Yannick, thanks for that pointer. Could you please add an issue to the MITREid Connect project to use those classes? The references will be helpful as well.<div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Oct 11, 2016, at 4:59 PM, Yannick Béot <<a href="mailto:yannick.beot@gmail.com" class="">yannick.beot@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class="">If you use <span class="gmail-nc">JWSVerificationKeySelector from Nimbus to check the JWT (as stated <a href="http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens" class="">http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens</a>), you should be fine.</span><code class="gmail-language-java gmail-hljs"></code><code class="gmail-language-java gmail-hljs"><span style="font-family:arial,helvetica,sans-serif" class=""></span></code>. <br class=""><pre class=""><code class="gmail-language-java gmail-hljs">JWSKeySelector<span style="font-family:arial,helvetica,sans-serif" class=""> is filtering keys with a</span> JWKMatcher <span style="font-family:arial,helvetica,sans-serif" class="">which checks the kid</span> (<a href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562" class="">https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562</a>) <br class=""><br class=""></code><span class="gmail-nc">JWSVerificationKeySelector <span style="font-family:arial,helvetica,sans-serif" class="">is responsible for creating the </span></span><span style="font-family:arial,helvetica,sans-serif" class=""><code class="gmail-language-java gmail-hljs">JWKMatcher <span style="font-family:arial,helvetica,sans-serif" class="">based on information from the signature, and especially the kid</span> (<a href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70" class="">https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70</a>)<br class=""><br class=""></code></span></pre><pre class=""><span style="font-family:arial,helvetica,sans-serif" class=""><code class="gmail-language-java gmail-hljs"><span style="font-family:arial,helvetica,sans-serif" class="">@Luiz: what are you using to validate the token?</span> <br class=""></code></span></pre><pre class=""><span style="font-family:arial,helvetica,sans-serif" class=""><code class="gmail-language-java gmail-hljs"><br class=""><br class=""></code></span></pre></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Tue, Oct 11, 2016 at 9:13 PM, Justin Richer <span dir="ltr" class=""><<a href="mailto:jricher@mit.edu" target="_blank" class="">jricher@mit.edu</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">The “kid” will be in the header of the JWT you’re validating. I think we’ve got a long-standing issue to enforce that check in the client library, but it should still work as-is.<div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="h5"><div class="">On Oct 11, 2016, at 12:27 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" target="_blank" class="">luiz.omori@duke.edu</a>> wrote:</div><br class="m_6182268411284431591Apple-interchange-newline"></div></div><div class=""><div class=""><div class="h5"><div class="m_6182268411284431591WordSection1" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">Well, which “kid” value should we look for? I checked the <root>/.well-known/openid-<wbr class="">configuration and although it lists the jwk endpoint we couldn’t find the “kid” anywhere. Does it mean this info has to be transmitted offline?<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""><u class=""></u> <u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">{<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "keys":[<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> {<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "alg":"RS256",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "e":"xxx",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "n":"xxx”,<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "kty":"RSA",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "use":"enc",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <span class="m_6182268411284431591Apple-converted-space"> </span><b class=""><span style="color:red" class="">"kid":"<a href="http://mc.duke.edu/" style="color:rgb(149,79,114);text-decoration:underline" target="_blank" class="">mc.duke.edu</a>"</span><u class=""></u><u class=""></u></b></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> },<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> {<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "e":"xxx",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "n":"xxx”,<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "kty":"RSA",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <span class="m_6182268411284431591Apple-converted-space"> </span><b class=""><span style="color:red" class="">"kid":"Test1"</span><u class=""></u><u class=""></u></b></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> },<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> {<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "e":"xxx",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "n":"xxx”,<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "kty":"RSA",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <span class="m_6182268411284431591Apple-converted-space"> </span><b class=""><span style="color:red" class="">"kid":"Test2"</span><u class=""></u><u class=""></u></b></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> },<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> {<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "e":"xxx",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "n":"xxx",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> "kty":"RSA",<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <span class="m_6182268411284431591Apple-converted-space"> </span><b class=""><span style="color:red" class="">"kid":"rsa1"</span><u class=""></u><u class=""></u></b></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> }<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> ]<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">}<span class="m_6182268411284431591Apple-converted-space"> </span><u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""><u class=""></u> <u class=""></u></div><div style="border-style:solid none none;border-top-color:rgb(181,196,223);border-top-width:1pt;padding:3pt 0in 0in" class=""><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""><b class=""><span class="">From:<span class="m_6182268411284431591Apple-converted-space"> </span></span></b><span class="">"<a href="mailto:yannick.beot@gmail.com" target="_blank" class="">yannick.beot@gmail.com</a>" <<a href="mailto:yannick.beot@gmail.com" target="_blank" class="">yannick.beot@gmail.com</a>><br class=""><b class="">Date:<span class="m_6182268411284431591Apple-converted-space"> </span></b>Tuesday, October 11, 2016 at 12:16 PM<br class=""><b class="">To:<span class="m_6182268411284431591Apple-converted-space"> </span></b>Luiz Omori <<a href="mailto:luiz.omori@duke.edu" target="_blank" class="">luiz.omori@duke.edu</a>>, "<a href="mailto:mitreid-connect@mit.edu" target="_blank" class="">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu" target="_blank" class="">mitreid-connect@mit.edu</a>><br class=""><b class="">Subject:<span class="m_6182268411284431591Apple-converted-space"> </span></b>RE: [mitreid-connect] JWT Signatures - which public key?</span><span style="font-size:12pt" class=""><u class=""></u><u class=""></u></span></div></div><div class=""><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""><span style="font-family:'Times New Roman'" class=""><u class=""></u> <u class=""></u></span></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">There is a key id present in the header that is interpreted by Nimbus:<span class="m_6182268411284431591Apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&e=" style="color:rgb(149,79,114);text-decoration:underline" target="_blank" class="">https://tools.ietf.<wbr class="">org/html/rfc7515#section-4.1.4</a><u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">You should use it to differentiate the keys.<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">Envoyé de mon téléphone Windows 10<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <u class=""></u><u class=""></u></div><div style="border-style:solid none none;border-top-color:rgb(225,225,225);border-top-width:1pt;padding:3pt 0in 0in" class=""><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""><b class="">De :<span class="m_6182268411284431591Apple-converted-space"> </span></b><a href="mailto:luiz.omori@duke.edu" style="color:rgb(149,79,114);text-decoration:underline" target="_blank" class="">Luiz Omori</a><br class=""><b class="">Envoyé le :</b>mardi 11 octobre 2016 18:04<br class=""><b class="">À :<span class="m_6182268411284431591Apple-converted-space"> </span></b><a href="mailto:mitreid-connect@mit.edu" style="color:rgb(149,79,114);text-decoration:underline" target="_blank" class="">mitreid-connect@mit.edu</a><br class=""><b class="">Objet :</b>[mitreid-connect] JWT Signatures - which public key?<u class=""></u><u class=""></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">Hi,<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">In our implementation, the RS upon receiving a request it first validates the access token signature locally before introspecting it. To perform the signature validation we use a previously retrieved public key. The issue we are facing is that in our case the <root>/jwk endpoint is returning multiple keys. How do we figure out which one should be used? Should we check the “use” field? If yes, is there a standard value to check for? <u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">Regards,<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class="">Luiz<u class=""></u><u class=""></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri" class=""> <u class=""></u><u class=""></u></div></div></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important" class="">______________________________<wbr class="">_________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)" class=""><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important" class="">mitreid-connect mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)" class=""><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important" class=""><a href="mailto:mitreid-connect@mit.edu" target="_blank" class="">mitreid-connect@mit.edu</a></span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)" class=""><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important" class=""><a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" target="_blank" class="">http://mailman.mit.edu/<wbr class="">mailman/listinfo/mitreid-<wbr class="">connect</a></span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)" class=""></div></blockquote></div><br class=""></div></div></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></div></body></html>