<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 5 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"Pr\00E9format\00E9 HTML Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.gmail-nc
{mso-style-name:gmail-nc;}
span.PrformatHTMLCar
{mso-style-name:"Pr\00E9format\00E9 HTML Car";
mso-style-priority:99;
mso-style-link:"Pr\00E9format\00E9 HTML";
font-family:"Courier New";}
span.m6182268411284431591apple-converted-space
{mso-style-name:m_6182268411284431591apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=FR link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>No problem.</p><p class=MsoNormal>I’ll have a look and file an issue if needed</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Envoyé de mon téléphone Windows 10</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>De : </b><a href="mailto:jricher@mit.edu">Justin Richer</a><br><b>Envoyé le :</b>mardi 11 octobre 2016 23:05<br><b>À : </b><a href="mailto:yannick.beot@gmail.com">Yannick Béot</a><br><b>Cc : </b><a href="mailto:luiz.omori@duke.edu">Luiz Omori</a>; <a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><br><b>Objet :</b>Re: [mitreid-connect] JWT Signatures - which public key?</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Yannick, thanks for that pointer. Could you please add an issue to the MITREid Connect project to use those classes? The references will be helpful as well.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> — Justin<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Oct 11, 2016, at 4:59 PM, Yannick Béot <<a href="mailto:yannick.beot@gmail.com">yannick.beot@gmail.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>If you use <span class=gmail-nc>JWSVerificationKeySelector from Nimbus to check the JWT (as stated <a href="http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens">http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens</a>), you should be fine.</span>. <o:p></o:p></p><pre style='margin-bottom:12.0pt'><code>JWSKeySelector</code><code><span style='font-family:"Arial",sans-serif'> is filtering keys with a</span> JWKMatcher </code><code><span style='font-family:"Arial",sans-serif'>which checks the kid</span> (<a href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562">https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562</a>) </code><br><br><span class=gmail-nc>JWSVerificationKeySelector </span><span class=gmail-nc><span style='font-family:"Arial",sans-serif'>is responsible for creating the </span></span><code>JWKMatcher </code><code><span style='font-family:"Arial",sans-serif'>based on information from the signature, and especially the kid</span> (<a href="https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70">https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70</a>)</code></pre><pre><code><span style='font-family:"Arial",sans-serif'>@Luiz: what are you using to validate the token?</span> </code></pre><pre style='margin-bottom:12.0pt'><o:p> </o:p></pre></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Oct 11, 2016 at 9:13 PM, Justin Richer <<a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal>The “kid” will be in the header of the JWT you’re validating. I think we’ve got a long-standing issue to enforce that check in the client library, but it should still work as-is.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> — Justin<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal>On Oct 11, 2016, at 12:27 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div><div><div><div><div><div><p class=MsoNormal style='background:white'>Well, which “kid” value should we look for? I checked the <root>/.well-known/openid-configuration and although it lists the jwk endpoint we couldn’t find the “kid” anywhere. Does it mean this info has to be transmitted offline?<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div><div><p class=MsoNormal style='background:white'>{<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "keys":[<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> {<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "alg":"RS256",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "e":"xxx",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "n":"xxx”,<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "kty":"RSA",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "use":"enc",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <span class=m6182268411284431591apple-converted-space> </span><b><span style='color:red'>"kid":"<a href="http://mc.duke.edu/" target="_blank"><span style='color:#954F72'>mc.duke.edu</span></a>"</span></b><o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> },<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> {<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "e":"xxx",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "n":"xxx”,<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "kty":"RSA",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <span class=m6182268411284431591apple-converted-space> </span><b><span style='color:red'>"kid":"Test1"</span></b><o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> },<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> {<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "e":"xxx",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "n":"xxx”,<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "kty":"RSA",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <span class=m6182268411284431591apple-converted-space> </span><b><span style='color:red'>"kid":"Test2"</span></b><o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> },<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> {<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "e":"xxx",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "n":"xxx",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> "kty":"RSA",<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <span class=m6182268411284431591apple-converted-space> </span><b><span style='color:red'>"kid":"rsa1"</span></b><o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> }<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> ]<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'>}<span class=m6182268411284431591apple-converted-space> </span><o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><div><p class=MsoNormal style='background:white'><b>From:<span class=m6182268411284431591apple-converted-space> </span></b>"<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>" <<a href="mailto:yannick.beot@gmail.com" target="_blank">yannick.beot@gmail.com</a>><br><b>Date:<span class=m6182268411284431591apple-converted-space> </span></b>Tuesday, October 11, 2016 at 12:16 PM<br><b>To:<span class=m6182268411284431591apple-converted-space> </span></b>Luiz Omori <<a href="mailto:luiz.omori@duke.edu" target="_blank">luiz.omori@duke.edu</a>>, "<a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>><br><b>Subject:<span class=m6182268411284431591apple-converted-space> </span></b>RE: [mitreid-connect] JWT Signatures - which public key?<o:p></o:p></p></div></div><div><div><p class=MsoNormal style='background:white'><span style='font-family:"Times New Roman",serif'> </span><o:p></o:p></p></div></div><div><p class=MsoNormal style='background:white'>There is a key id present in the header that is interpreted by Nimbus:<span class=m6182268411284431591apple-converted-space> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&e=" target="_blank"><span style='color:#954F72'>https://tools.ietf.org/html/rfc7515#section-4.1.4</span></a><o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div><div><p class=MsoNormal style='background:white'>You should use it to differentiate the keys.<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div><div><p class=MsoNormal style='background:white'>Envoyé de mon téléphone Windows 10<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><div><p class=MsoNormal style='background:white'><b>De :<span class=m6182268411284431591apple-converted-space> </span></b><a href="mailto:luiz.omori@duke.edu" target="_blank"><span style='color:#954F72'>Luiz Omori</span></a><br><b>Envoyé le :</b>mardi 11 octobre 2016 18:04<br><b>À :<span class=m6182268411284431591apple-converted-space> </span></b><a href="mailto:mitreid-connect@mit.edu" target="_blank"><span style='color:#954F72'>mitreid-connect@mit.edu</span></a><br><b>Objet :</b>[mitreid-connect] JWT Signatures - which public key?<o:p></o:p></p></div></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div><div><p class=MsoNormal style='background:white'>Hi,<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div><div><p class=MsoNormal style='background:white'>In our implementation, the RS upon receiving a request it first validates the access token signature locally before introspecting it. To perform the signature validation we use a previously retrieved public key. The issue we are facing is that in our case the <root>/jwk endpoint is returning multiple keys. How do we figure out which one should be used? Should we check the “use” field? If yes, is there a standard value to check for? <o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div><div><p class=MsoNormal style='background:white'>Regards,<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'>Luiz<o:p></o:p></p></div><div><p class=MsoNormal style='background:white'> <o:p></o:p></p></div></div></div></div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;background:white'>_______________________________________________</span><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif'><br><span style='background:white'>mitreid-connect mailing list</span><br><span style='background:white'><a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a></span><br><span style='background:white'><a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" target="_blank">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></span></span><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></blockquote></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>