<div dir="ltr"><div><div><div><div>Justin,<br><br></div>I have created an issue (#1132).<br></div>I have had a quick look at the code. My first idea would be to separate the validation and signing logic in DefaultJWTSigningAndValidation<wbr>Service.<br><br></div>How come both are merged in the same class? It is pretty separated in the class with 2 list (signers &amp; validers).<br></div><div>Either you sign (IdP) or either you validate (RP or RP authenication by JWT).<br></div><div><br></div>Yannick<br><div><br><br><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 12, 2016 at 6:36 AM,  <span dir="ltr">&lt;<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="#954F72" lang="FR"><div class="m_-8728529132837741009WordSection1"><p class="MsoNormal">No problem.</p><p class="MsoNormal">I’ll have a look and file an issue if needed</p><span class=""><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Envoyé de mon téléphone Windows 10</p><p class="MsoNormal"><u></u> <u></u></p></span><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal" style="border:none;padding:0cm"><b>De : </b><a href="mailto:jricher@mit.edu" target="_blank">Justin Richer</a><br><b>Envoyé le :</b>mardi 11 octobre 2016 23:05<br><b>À : </b><a href="mailto:yannick.beot@gmail.com" target="_blank">Yannick Béot</a><br><b>Cc : </b><a href="mailto:luiz.omori@duke.edu" target="_blank">Luiz Omori</a>; <a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a><br><b>Objet :</b>Re: [mitreid-connect] JWT Signatures - which public key?</p></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Yannick, thanks for that pointer. Could you please add an issue to the MITREid Connect project to use those classes? The references will be helpful as well.<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"> — Justin<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p><div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal">On Oct 11, 2016, at 4:59 PM, Yannick Béot &lt;<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>&gt; wrote:<u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">If you use <span class="m_-8728529132837741009gmail-nc">JWSVerificationKeySelector from Nimbus to check the JWT (as stated <a href="http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens" target="_blank">http://connect2id.com/<wbr>products/nimbus-jose-jwt/<wbr>examples/validating-jwt-<wbr>access-tokens</a>), you should be fine.</span>. <u></u><u></u></p><pre style="margin-bottom:12.0pt"><code>JWSKeySelector</code><code><span style="font-family:&quot;Arial&quot;,sans-serif"> is filtering keys with a</span> JWKMatcher </code><code><span style="font-family:&quot;Arial&quot;,sans-serif">which checks the kid</span> (<a href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&amp;fileviewer=file-view-default#JWKMatcher.java-562" target="_blank">https://bitbucket.org/<wbr>connect2id/nimbus-jose-jwt/<wbr>src/<wbr>3810eb0a96565e7768cd54bf734dfe<wbr>a373ecc561/src/main/java/com/<wbr>nimbusds/jose/jwk/JWKMatcher.<wbr>java?at=4.15&amp;fileviewer=file-<wbr>view-default#JWKMatcher.java-<wbr>562</a>) </code><br><br><span class="m_-8728529132837741009gmail-nc">JWSVerificationKeySelector </span><span class="m_-8728529132837741009gmail-nc"><span style="font-family:&quot;Arial&quot;,sans-serif">is responsible for creating the </span></span><code>JWKMatcher </code><code><span style="font-family:&quot;Arial&quot;,sans-serif">based on information from the signature, and especially the kid</span> (<a href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&amp;fileviewer=file-view-default#JWSVerificationKeySelector.java-70" target="_blank">https://bitbucket.org/<wbr>connect2id/nimbus-jose-jwt/<wbr>src/<wbr>3810eb0a96565e7768cd54bf734dfe<wbr>a373ecc561/src/main/java/com/<wbr>nimbusds/jose/proc/<wbr>JWSVerificationKeySelector.<wbr>java?at=4.15&amp;fileviewer=file-<wbr>view-default#<wbr>JWSVerificationKeySelector.<wbr>java-70</a>)</code></pre><pre><code><span style="font-family:&quot;Arial&quot;,sans-serif">@Luiz: what are you using to validate the token?</span> </code></pre><pre style="margin-bottom:12.0pt"><u></u> <u></u></pre></div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On Tue, Oct 11, 2016 at 9:13 PM, Justin Richer &lt;<a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>&gt; wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"><div><p class="MsoNormal">The “kid” will be in the header of the JWT you’re validating. I think we’ve got a long-standing issue to enforce that check in the client library, but it should still work as-is.<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"> — Justin<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p><div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><div><div><p class="MsoNormal">On Oct 11, 2016, at 12:27 PM, Luiz Omori &lt;<a href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>&gt; wrote:<u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p></div></div><div><div><div><div><div><p class="MsoNormal" style="background:white">Well, which “kid” value should we look for? I checked the &lt;root&gt;/.well-known/openid-<wbr>configuration and although it lists the jwk endpoint we couldn’t find the “kid” anywhere. Does it mean this info has to be transmitted offline?<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">{<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">  &quot;keys&quot;:[<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">    {<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;alg&quot;:&quot;RS256&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;e&quot;:&quot;xxx&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;n&quot;:&quot;xxx”,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;kty&quot;:&quot;RSA&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;use&quot;:&quot;enc&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">     <span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><b><span style="color:red">&quot;kid&quot;:&quot;<a href="http://mc.duke.edu/" target="_blank"><span style="color:#954f72">mc.duke.edu</span></a>&quot;</span></b><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">    },<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">    {<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;e&quot;:&quot;xxx&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;n&quot;:&quot;xxx”,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;kty&quot;:&quot;RSA&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">     <span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><b><span style="color:red">&quot;kid&quot;:&quot;Test1&quot;</span></b><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">    },<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">    {<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;e&quot;:&quot;xxx&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;n&quot;:&quot;xxx”,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;kty&quot;:&quot;RSA&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">     <span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><b><span style="color:red">&quot;kid&quot;:&quot;Test2&quot;</span></b><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">    },<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">    {<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;e&quot;:&quot;xxx&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;n&quot;:&quot;xxx&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">      &quot;kty&quot;:&quot;RSA&quot;,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">     <span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><b><span style="color:red">&quot;kid&quot;:&quot;rsa1&quot;</span></b><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">    }<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">  ]<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">}<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div><p class="MsoNormal" style="background:white"><b>From:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b>&quot;<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>&quot; &lt;<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>&gt;<br><b>Date:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b>Tuesday, October 11, 2016 at 12:16 PM<br><b>To:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b>Luiz Omori &lt;<a href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>&gt;, &quot;<a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>&quot; &lt;<a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>&gt;<br><b>Subject:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b>RE: [mitreid-connect] JWT Signatures - which public key?<u></u><u></u></p></div></div><div><div><p class="MsoNormal" style="background:white"><span style="font-family:&quot;Times New Roman&quot;,serif"> </span><u></u><u></u></p></div></div><div><p class="MsoNormal" style="background:white">There is a key id present in the header that is interpreted by Nimbus:<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&amp;d=CwMFaQ&amp;c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&amp;r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&amp;m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&amp;s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&amp;e=" target="_blank"><span style="color:#954f72">https://tools.ietf.<wbr>org/html/rfc7515#section-4.1.4</span></a><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">You should use it to differentiate the keys.<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">Envoyé de mon téléphone Windows 10<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div><p class="MsoNormal" style="background:white"><b>De :<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b><a href="mailto:luiz.omori@duke.edu" target="_blank"><span style="color:#954f72">Luiz Omori</span></a><br><b>Envoyé le :</b>mardi 11 octobre 2016 18:04<br><b>À :<span class="m_-8728529132837741009m6182268411284431591apple-converted-space"> </span></b><a href="mailto:mitreid-connect@mit.edu" target="_blank"><span style="color:#954f72">mitreid-connect@mit.edu</span></a><br><b>Objet :</b>[mitreid-connect] JWT Signatures - which public key?<u></u><u></u></p></div></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">Hi,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">In our implementation, the RS upon receiving a request it first validates the access token signature locally before introspecting it. To perform the signature validation we use a previously retrieved public key. The issue we are facing is that in our case the &lt;root&gt;/jwk endpoint is returning multiple keys. How do we figure out which one should be used? Should we check the “use” field? If yes, is there a standard value to check for?  <u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">Regards,<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white">Luiz<u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div></div></div></div><p class="MsoNormal"><span style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,sans-serif;background:white">______________________________<wbr>_________________</span><span style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,sans-serif"><br><span style="background:white">mitreid-connect mailing list</span><br><span style="background:white"><a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a></span><br><span style="background:white"><a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/mitreid-<wbr>connect</a></span></span><u></u><u></u></p></div></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div></div></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div></div></blockquote></div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></blockquote></div><br></div>