<div dir="ltr">If you use <span class="gmail-nc">JWSVerificationKeySelector from Nimbus to check the JWT (as stated <a href="http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens">http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens</a>), you should be fine.</span><code class="gmail-language-java gmail-hljs"></code><code class="gmail-language-java gmail-hljs"><span style="font-family:arial,helvetica,sans-serif"></span></code>. <br><pre><code class="gmail-language-java gmail-hljs">JWSKeySelector<span style="font-family:arial,helvetica,sans-serif"> is filtering keys with a</span> JWKMatcher <span style="font-family:arial,helvetica,sans-serif">which checks the kid</span> (<a href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&amp;fileviewer=file-view-default#JWKMatcher.java-562">https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&amp;fileviewer=file-view-default#JWKMatcher.java-562</a>) <br><br></code><span class="gmail-nc">JWSVerificationKeySelector <span style="font-family:arial,helvetica,sans-serif">is responsible for creating the </span></span><span style="font-family:arial,helvetica,sans-serif"><code class="gmail-language-java gmail-hljs">JWKMatcher <span style="font-family:arial,helvetica,sans-serif">based on information from the signature, and especially the kid</span> (<a href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&amp;fileviewer=file-view-default#JWSVerificationKeySelector.java-70">https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&amp;fileviewer=file-view-default#JWSVerificationKeySelector.java-70</a>)<br><br></code></span></pre><pre><span style="font-family:arial,helvetica,sans-serif"><code class="gmail-language-java gmail-hljs"><span style="font-family:arial,helvetica,sans-serif">@Luiz: what are you using to validate the token?</span> <br></code></span></pre><pre><span style="font-family:arial,helvetica,sans-serif"><code class="gmail-language-java gmail-hljs"><br><br></code></span></pre></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 11, 2016 at 9:13 PM, Justin Richer <span dir="ltr">&lt;<a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">The “kid” will be in the header of the JWT you’re validating. I think we’ve got a long-standing issue to enforce that check in the client library, but it should still work as-is.<div><br></div><div> — Justin</div><div><br><div><blockquote type="cite"><div><div class="h5"><div>On Oct 11, 2016, at 12:27 PM, Luiz Omori &lt;<a href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>&gt; wrote:</div><br class="m_6182268411284431591Apple-interchange-newline"></div></div><div><div><div class="h5"><div class="m_6182268411284431591WordSection1" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">Well, which “kid” value should we look for? I checked the &lt;root&gt;/.well-known/openid-<wbr>configuration and although it lists the jwk endpoint we couldn’t find the “kid” anywhere. Does it mean this info has to be transmitted offline?<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">{<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">  &quot;keys&quot;:[<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">    {<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;alg&quot;:&quot;RS256&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;e&quot;:&quot;xxx&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;n&quot;:&quot;xxx”,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;kty&quot;:&quot;RSA&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;use&quot;:&quot;enc&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">     <span class="m_6182268411284431591Apple-converted-space"> </span><b><span style="color:red">&quot;kid&quot;:&quot;<a href="http://mc.duke.edu/" style="color:rgb(149,79,114);text-decoration:underline" target="_blank">mc.duke.edu</a>&quot;</span><u></u><u></u></b></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">    },<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">    {<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;e&quot;:&quot;xxx&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;n&quot;:&quot;xxx”,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;kty&quot;:&quot;RSA&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">     <span class="m_6182268411284431591Apple-converted-space"> </span><b><span style="color:red">&quot;kid&quot;:&quot;Test1&quot;</span><u></u><u></u></b></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">    },<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">    {<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;e&quot;:&quot;xxx&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;n&quot;:&quot;xxx”,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;kty&quot;:&quot;RSA&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">     <span class="m_6182268411284431591Apple-converted-space"> </span><b><span style="color:red">&quot;kid&quot;:&quot;Test2&quot;</span><u></u><u></u></b></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">    },<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">    {<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;e&quot;:&quot;xxx&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;n&quot;:&quot;xxx&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">      &quot;kty&quot;:&quot;RSA&quot;,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">     <span class="m_6182268411284431591Apple-converted-space"> </span><b><span style="color:red">&quot;kid&quot;:&quot;rsa1&quot;</span><u></u><u></u></b></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">    }<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">  ]<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">}<span class="m_6182268411284431591Apple-converted-space"> </span><u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"><u></u> <u></u></div><div style="border-style:solid none none;border-top-color:rgb(181,196,223);border-top-width:1pt;padding:3pt 0in 0in"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"><b><span>From:<span class="m_6182268411284431591Apple-converted-space"> </span></span></b><span>&quot;<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>&quot; &lt;<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>&gt;<br><b>Date:<span class="m_6182268411284431591Apple-converted-space"> </span></b>Tuesday, October 11, 2016 at 12:16 PM<br><b>To:<span class="m_6182268411284431591Apple-converted-space"> </span></b>Luiz Omori &lt;<a href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>&gt;, &quot;<a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>&quot; &lt;<a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>&gt;<br><b>Subject:<span class="m_6182268411284431591Apple-converted-space"> </span></b>RE: [mitreid-connect] JWT Signatures - which public key?</span><span style="font-size:12pt"><u></u><u></u></span></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"><span style="font-family:&#39;Times New Roman&#39;"><u></u> <u></u></span></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">There is a key id present in the header that is interpreted by Nimbus:<span class="m_6182268411284431591Apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&amp;d=CwMFaQ&amp;c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&amp;r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&amp;m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&amp;s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&amp;e=" style="color:rgb(149,79,114);text-decoration:underline" target="_blank">https://tools.ietf.<wbr>org/html/rfc7515#section-4.1.4</a><u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"> <u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">You should use it to differentiate the keys.<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"> <u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"> <u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">Envoyé de mon téléphone Windows 10<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"> <u></u><u></u></div><div style="border-style:solid none none;border-top-color:rgb(225,225,225);border-top-width:1pt;padding:3pt 0in 0in"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"><b>De :<span class="m_6182268411284431591Apple-converted-space"> </span></b><a href="mailto:luiz.omori@duke.edu" style="color:rgb(149,79,114);text-decoration:underline" target="_blank">Luiz Omori</a><br><b>Envoyé le :</b>mardi 11 octobre 2016 18:04<br><b>À :<span class="m_6182268411284431591Apple-converted-space"> </span></b><a href="mailto:mitreid-connect@mit.edu" style="color:rgb(149,79,114);text-decoration:underline" target="_blank">mitreid-connect@mit.edu</a><br><b>Objet :</b>[mitreid-connect] JWT Signatures - which public key?<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"> <u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">Hi,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"> <u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">In our implementation, the RS upon receiving a request it first validates the access token signature locally before introspecting it. To perform the signature validation we use a previously retrieved public key. The issue we are facing is that in our case the &lt;root&gt;/jwk endpoint is returning multiple keys. How do we figure out which one should be used? Should we check the “use” field? If yes, is there a standard value to check for?  <u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"> <u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">Regards,<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri">Luiz<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri"> <u></u><u></u></div></div></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important">______________________________<wbr>_________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important">mitreid-connect mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important"><a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a></span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important"><a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/mitreid-<wbr>connect</a></span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"></div></blockquote></div><br></div></div></blockquote></div><br></div>