[mitreid-connect] JWT Signatures - which public key?

yannick.beot@gmail.com yannick.beot at gmail.com
Tue Oct 11 12:16:01 EDT 2016


There is a key id present in the header that is interpreted by Nimbus: https://tools.ietf.org/html/rfc7515#section-4.1.4

You should use it to differentiate the keys.


Envoyé de mon téléphone Windows 10

De : Luiz Omori
Envoyé le :mardi 11 octobre 2016 18:04
À : mitreid-connect at mit.edu
Objet :[mitreid-connect] JWT Signatures - which public key?

Hi,

In our implementation, the RS upon receiving a request it first validates the access token signature locally before introspecting it. To perform the signature validation we use a previously retrieved public key. The issue we are facing is that in our case the <root>/jwk endpoint is returning multiple keys. How do we figure out which one should be used? Should we check the “use” field? If yes, is there a standard value to check for?  

Regards,
Luiz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161011/ca48f0d0/attachment.html


More information about the mitreid-connect mailing list