<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The “kid” will be in the header of the JWT you’re validating. I think we’ve got a long-standing issue to enforce that check in the client library, but it should still work as-is.<div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Oct 11, 2016, at 12:27 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">Well, which “kid” value should we look for? I checked the <root>/.well-known/openid-configuration and although it lists the jwk endpoint we couldn’t find the “kid” anywhere. Does it mean this info has to be transmitted offline?<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">{<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "keys":[<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> {<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "alg":"RS256",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "e":"xxx",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "n":"xxx”,<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "kty":"RSA",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "use":"enc",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <span class="Apple-converted-space"> </span><b class=""><span style="color: red;" class="">"kid":"<a href="http://mc.duke.edu/" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">mc.duke.edu</a>"</span><o:p class=""></o:p></b></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> },<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> {<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "e":"xxx",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "n":"xxx”,<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "kty":"RSA",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <span class="Apple-converted-space"> </span><b class=""><span style="color: red;" class="">"kid":"Test1"</span><o:p class=""></o:p></b></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> },<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> {<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "e":"xxx",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "n":"xxx”,<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "kty":"RSA",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <span class="Apple-converted-space"> </span><b class=""><span style="color: red;" class="">"kid":"Test2"</span><o:p class=""></o:p></b></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> },<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> {<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "e":"xxx",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "n":"xxx",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> "kty":"RSA",<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <span class="Apple-converted-space"> </span><b class=""><span style="color: red;" class="">"kid":"rsa1"</span><o:p class=""></o:p></b></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> }<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> ]<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">}<span class="Apple-converted-space"> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""><o:p class=""> </o:p></div><div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""><b class=""><span style="" class="">From:<span class="Apple-converted-space"> </span></span></b><span style="" class="">"<a href="mailto:yannick.beot@gmail.com" class="">yannick.beot@gmail.com</a>" <<a href="mailto:yannick.beot@gmail.com" class="">yannick.beot@gmail.com</a>><br class=""><b class="">Date:<span class="Apple-converted-space"> </span></b>Tuesday, October 11, 2016 at 12:16 PM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b>Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>>, "<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>RE: [mitreid-connect] JWT Signatures - which public key?</span><span style="font-size: 12pt;" class=""><o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""><span style="font-family: 'Times New Roman';" class=""><o:p class=""> </o:p></span></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">There is a key id present in the header that is interpreted by Nimbus:<span class="Apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&e=" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://tools.ietf.org/html/rfc7515#section-4.1.4</a><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">You should use it to differentiate the keys.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">Envoyé de mon téléphone Windows 10<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <o:p class=""></o:p></div><div style="border-style: solid none none; border-top-color: rgb(225, 225, 225); border-top-width: 1pt; padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""><b class="">De :<span class="Apple-converted-space"> </span></b><a href="mailto:luiz.omori@duke.edu" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Luiz Omori</a><br class=""><b class="">Envoyé le :</b>mardi 11 octobre 2016 18:04<br class=""><b class="">À :<span class="Apple-converted-space"> </span></b><a href="mailto:mitreid-connect@mit.edu" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">mitreid-connect@mit.edu</a><br class=""><b class="">Objet :</b>[mitreid-connect] JWT Signatures - which public key?<o:p class=""></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">Hi,<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">In our implementation, the RS upon receiving a request it first validates the access token signature locally before introspecting it. To perform the signature validation we use a previously retrieved public key. The issue we are facing is that in our case the <root>/jwk endpoint is returning multiple keys. How do we figure out which one should be used? Should we check the “use” field? If yes, is there a standard value to check for? <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">Regards,<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class="">Luiz<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri;" class=""> <o:p class=""></o:p></div></div><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); float: none; display: inline !important;" class="">mitreid-connect mailing list</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); float: none; display: inline !important;" class=""><a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a></span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); float: none; display: inline !important;" class=""><a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""></div></blockquote></div><br class=""></div></body></html>