[mitreid-connect] JWT Signatures - which public key?

Yannick Béot yannick.beot at gmail.com
Wed Oct 12 04:14:05 EDT 2016


Justin,

I have created an issue (#1132).
I have had a quick look at the code. My first idea would be to separate the
validation and signing logic in DefaultJWTSigningAndValidationService.

How come both are merged in the same class? It is pretty separated in the
class with 2 list (signers & validers).
Either you sign (IdP) or either you validate (RP or RP authenication by
JWT).

Yannick





On Wed, Oct 12, 2016 at 6:36 AM, <yannick.beot at gmail.com> wrote:

> No problem.
>
> I’ll have a look and file an issue if needed
>
>
>
> Envoyé de mon téléphone Windows 10
>
>
>
> *De : *Justin Richer <jricher at mit.edu>
> *Envoyé le :*mardi 11 octobre 2016 23:05
> *À : *Yannick Béot <yannick.beot at gmail.com>
> *Cc : *Luiz Omori <luiz.omori at duke.edu>; mitreid-connect at mit.edu
> *Objet :*Re: [mitreid-connect] JWT Signatures - which public key?
>
>
>
> Yannick, thanks for that pointer. Could you please add an issue to the
> MITREid Connect project to use those classes? The references will be
> helpful as well.
>
>
>
>  — Justin
>
>
>
> On Oct 11, 2016, at 4:59 PM, Yannick Béot <yannick.beot at gmail.com> wrote:
>
>
>
> If you use JWSVerificationKeySelector from Nimbus to check the JWT (as
> stated http://connect2id.com/products/nimbus-jose-jwt/
> examples/validating-jwt-access-tokens), you should be fine..
>
> JWSKeySelector is filtering keys with a JWKMatcher which checks the kid (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562)
>
> JWSVerificationKeySelector is responsible for creating the JWKMatcher based on information from the signature, and especially the kid (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70)
>
> @Luiz: what are you using to validate the token?
>
>
>
>
>
> On Tue, Oct 11, 2016 at 9:13 PM, Justin Richer <jricher at mit.edu> wrote:
>
> The “kid” will be in the header of the JWT you’re validating. I think
> we’ve got a long-standing issue to enforce that check in the client
> library, but it should still work as-is.
>
>
>
>  — Justin
>
>
>
> On Oct 11, 2016, at 12:27 PM, Luiz Omori <luiz.omori at duke.edu> wrote:
>
>
>
> Well, which “kid” value should we look for? I checked the
> <root>/.well-known/openid-configuration and although it lists the jwk
> endpoint we couldn’t find the “kid” anywhere. Does it mean this info has to
> be transmitted offline?
>
>
>
> {
>
>   "keys":[
>
>     {
>
>       "alg":"RS256",
>
>       "e":"xxx",
>
>       "n":"xxx”,
>
>       "kty":"RSA",
>
>       "use":"enc",
>
>       *"kid":"mc.duke.edu <http://mc.duke.edu/>"*
>
>     },
>
>     {
>
>       "e":"xxx",
>
>       "n":"xxx”,
>
>       "kty":"RSA",
>
>       *"kid":"Test1"*
>
>     },
>
>     {
>
>       "e":"xxx",
>
>       "n":"xxx”,
>
>       "kty":"RSA",
>
>       *"kid":"Test2"*
>
>     },
>
>     {
>
>       "e":"xxx",
>
>       "n":"xxx",
>
>       "kty":"RSA",
>
>       *"kid":"rsa1"*
>
>     }
>
>   ]
>
> }
>
>
>
> *From: *"yannick.beot at gmail.com" <yannick.beot at gmail.com>
> *Date: *Tuesday, October 11, 2016 at 12:16 PM
> *To: *Luiz Omori <luiz.omori at duke.edu>, "mitreid-connect at mit.edu" <
> mitreid-connect at mit.edu>
> *Subject: *RE: [mitreid-connect] JWT Signatures - which public key?
>
>
>
> There is a key id present in the header that is interpreted by Nimbus:
> https://tools.ietf.org/html/rfc7515#section-4.1.4
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&e=>
>
>
>
> You should use it to differentiate the keys.
>
>
>
>
>
> Envoyé de mon téléphone Windows 10
>
>
>
> *De : *Luiz Omori <luiz.omori at duke.edu>
> *Envoyé le :*mardi 11 octobre 2016 18:04
> *À : *mitreid-connect at mit.edu
> *Objet :*[mitreid-connect] JWT Signatures - which public key?
>
>
>
> Hi,
>
>
>
> In our implementation, the RS upon receiving a request it first validates
> the access token signature locally before introspecting it. To perform the
> signature validation we use a previously retrieved public key. The issue we
> are facing is that in our case the <root>/jwk endpoint is returning
> multiple keys. How do we figure out which one should be used? Should we
> check the “use” field? If yes, is there a standard value to check for?
>
>
>
> Regards,
>
> Luiz
>
>
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161012/7ea64adb/attachment-0001.html


More information about the mitreid-connect mailing list