[mitreid-connect] Keystore
Luiz Omori
luiz.omori at duke.edu
Fri Aug 28 14:09:26 EDT 2015
Hi,
One minor thing, but that surprisingly is generating quite a few emails internally, is indirectly related to the configuration below (crypto-config.xml):
<bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
<constructor-arg name="keyStore" ref="defaultKeyStore" />
<property name="defaultSignerKeyId" value="rsa1" />
<property name="defaultSigningAlgorithmName" value="RS256" />
</bean>
Question: can "use": "sig" (as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41) be used as discriminator for the signing key? In other words, why use the key ID and algorithm?
If multiple keys with "use": "sig" may be present, how does the client know which one returned from "jwks_uri":"http://localhost:8080/ldap-openid-connect-server/jwk" (from well-known endpoint) should be used? We've noticed that that endpoint seems to be returning all keys (we haven't tested other private keys but at least for the one used for signing the private modulus is removed, as expected).
Regards,
Luiz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150828/c0f9af57/attachment.html
More information about the mitreid-connect
mailing list