[prev in list] [next in list] [prev in thread] [next in thread]
List: esb-java-dev
Subject: Re: [Dev] [IS] Usage of "kid" JWT header parameter
From: Darshana Gunawardana <darshana () wso2 ! com>
Date: 2017-08-31 17:55:13
Message-ID: CAAFLTArVmo=SLfZata+45FNqccffF9xWVjgYGDEEAWFOXUw9Pg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Will prioritize this for IS 5.4.0.
Thanks,
On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena <prabath@wso2.com>
wrote:
> Hope we will fix this for IS 5.4.0..?
>
> Thanks & regards,
> -Prabath
>
> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
> indunil@wso2.com> wrote:
>
>> Hi,
>>
>> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <gayan@wso2.com>
>> wrote:
>>
>>>
>>>
>>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
>>> indunil@wso2.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> In IS, when signing the ID token, we are passing the "kid" header
>>>> parameter in the response.
>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>>>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT
>>>> okenBuilder.java#L122
>>>>
>>>> As per the specification (Refer [1]) :
>>>>
>>>>> *The kid value is a key identifier used in identifying the key to be
>>>>> used to verify the signature.If the kid value is unknown to the RP, it
>>>>> needs to retrieve the contents of the OP's JWK Set again to obtain the OP's
>>>>> current set of keys. *
>>>>>
>>>>
>>>> We have hard coded this "kid" value in the implementation level. What
>>>> happens if the signing key is a different one than the default one?
>>>>
>>>> Seems like this "kid" is like a hint to identify which specific key to
>>>> be used to validate the signature, when there are multiple keys. Is it a
>>>> valid use case in IS, since there cannot be multiple certs available in
>>>> resident IDP? And also is it correct to use a hard coded value from
>>>> back-end?
>>>>
>>> Having hard coded value is not correct. "kid" value should be generated
>>> based on certificate "thumbprint". Hard coded value would work for super
>>> tenant default keystore.
>>>
>>
>> Thanks. I have created a public JIRA in [1] to handle this.
>>
>> [1] https://wso2.org/jira/browse/IDENTITY-6311
>>
>>
>>>
>>>>
>>>>
>>>>
>>>> This is hard coded in JwksEndpoint as well.
>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>> th/blob/master/components/org.wso2.carbon.identity.oauth.end
>>>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint
>>>> /jwks/JwksEndpoint.java#L54
>>>>
>>>> But in JWTTokenGenerator, we are not setting the "kid" parameter.
>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>>>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo
>>>> kenGenerator.java#L293
>>>>
>>>> In which scenarios, this "kid" header parameter should be sent and
>>>> should not be sent? Recently we have implemented to sign the user info JWT
>>>> response and need to verify whether "kid" parameter should be sent there as
>>>> well.
>>>>
>>>>
>>>>
>>>> Appreciate your ideas on above concerns.
>>>>
>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html
>>>>
>>>>
>>>> Thanks and Regards
>>>> --
>>>> Indunil Upeksha Rathnayake
>>>> Software Engineer | WSO2 Inc
>>>> Email indunil@wso2.com
>>>> Mobile 0772182255 <077%20218%202255>
>>>>
>>>
>>>
>>>
>>> --
>>> Gayan Gunawardana
>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: gayan@wso2.com
>>> Mobile: +94 (71) 8020933
>>>
>>
>>
>>
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Email indunil@wso2.com
>> Mobile 0772182255 <077%20218%202255>
>>
>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +1 650 625 7950 <(650)%20625-7950>
>
> http://facilelogin.com
>
--
Regards,
*Darshana Gunawardana*Technical Lead
WSO2 Inc.; http://wso2.com
*E-mail: darshana@wso2.com <darshana@wso2.com>*
*Mobile: +94718566859*Lean . Enterprise . Middleware
[Attachment #5 (text/html)]
<div dir="ltr">Will prioritize this for IS \
5.4.0.<div><br></div><div>Thanks,</div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena <span \
dir="ltr"><<a href="mailto:prabath@wso2.com" \
target="_blank">prabath@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Hope we will fix this for IS \
5.4.0..?<div><br></div><div>Thanks & regards,</div><div>-Prabath</div></div><div \
class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Tue, Aug 29, \
2017 at 2:34 AM, Indunil Upeksha Rathnayake <span dir="ltr"><<a \
href="mailto:indunil@wso2.com" target="_blank">indunil@wso2.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"><div dir="ltr">Hi,<br><div class="gmail_extra"><br><div \
class="gmail_quote"><span>On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <span \
dir="ltr"><<a href="mailto:gayan@wso2.com" \
target="_blank">gayan@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div \
class="gmail_extra"><br><div class="gmail_quote"><span \
class="m_2863042872523163746m_-5990265221512390983gmail-">On Mon, Aug 28, 2017 at \
11:48 AM, Indunil Upeksha Rathnayake <span dir="ltr"><<a \
href="mailto:indunil@wso2.com" target="_blank">indunil@wso2.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div>Hi,<br><br>In IS, when signing the ID token, we are passing the \
"kid" header parameter in the response.<br></div><a \
href="https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/compo \
nents/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L122" \
target="_blank">https://github.com/wso2-extens<wbr>ions/identity-inbound-auth-oau<wbr> \
th/blob/master/components/org.<wbr>wso2.carbon.identity.oauth/src<wbr>/main/java/org/w \
so2/carbon/ide<wbr>ntity/openidconnect/DefaultIDT<wbr>okenBuilder.java#L122</a><br><div><br>As \
per the specification (Refer [1]) :</div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div> <b>The kid value is a key identifier used in \
identifying the key to be used to verify the signature.If the kid value is unknown to \
the RP, it needs to retrieve the contents of the OP's JWK Set again to obtain the \
OP's current set of keys. </b><br></div></blockquote><div><br>We have hard coded \
this "kid" value in the implementation level. What happens if the signing \
key is a different one than the default one? <br></div><div><br></div><div>Seems like \
this "kid" is like a hint to identify which specific key to be used to \
validate the signature, when there are multiple keys. Is it a valid use case in IS, \
since there cannot be multiple certs available in resident IDP? And also is it \
correct to use a hard coded value from \
back-end?<br></div></div></blockquote></span><div>Having hard coded value is not \
correct. "kid" value should be generated based on certificate \
"thumbprint". Hard coded value would work for super tenant default \
keystore. <br></div></div></div></div></blockquote><div><br></div></span><div>Thanks. \
I have created a public JIRA in [1] to handle this.</div><div><br></div><div>[1] <a \
href="https://wso2.org/jira/browse/IDENTITY-6311" \
target="_blank">https://wso2.org/jira/browse/I<wbr>DENTITY-6311</a><br></div><span><div><br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div \
class="gmail_quote"><div> </div><span \
class="m_2863042872523163746m_-5990265221512390983gmail-"><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div><br></div><div><br></div><div><br></div><div>This is hard coded in \
JwksEndpoint as well.<br><a \
href="https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/compo \
nents/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java#L54" \
target="_blank">https://github.com/wso2-extens<wbr>ions/identity-inbound-auth-oau<wbr> \
th/blob/master/components/org.<wbr>wso2.carbon.identity.oauth.end<wbr>point/src/main/j \
ava/org/wso2/<wbr>carbon/identity/oauth/endpoint<wbr>/jwks/JwksEndpoint.java#L54</a><br><br>But \
in JWTTokenGenerator, we are not setting the "kid" parameter.<br><a \
href="https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/compo \
nents/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTokenGenerator.java#L293" \
target="_blank">https://github.com/wso2-extens<wbr>ions/identity-inbound-auth-oau<wbr> \
th/blob/master/components/org.<wbr>wso2.carbon.identity.oauth/src<wbr>/main/java/org/w \
so2/carbon/ide<wbr>ntity/oauth2/authcontext/JWTTo<wbr>kenGenerator.java#L293</a></div><div><br></div><div>In \
which scenarios, this "kid" header parameter should be sent and should not \
be sent? Recently we have implemented to sign the user info JWT response and need to \
verify whether "kid" parameter should be sent there as \
well.</div><div><br></div><div><br></div><div><br></div><div>Appreciate your ideas on \
above concerns.<br></div><div><br></div><div>[1] <a \
href="http://openid.net/specs/openid-connect-core-1_0.html" \
target="_blank">http://openid.net/specs/openid<wbr>-connect-core-1_0.html</a></div><div><br></div><div><br \
clear="all"><div>Thanks and Regards<span \
class="m_2863042872523163746m_-5990265221512390983gmail-m_2045768934910661519gmail-HOEnZb"><font \
color="#888888"><br></font></span></div><span \
class="m_2863042872523163746m_-5990265221512390983gmail-m_2045768934910661519gmail-HOEnZb"><font \
color="#888888"><div>-- <br><div \
class="m_2863042872523163746m_-5990265221512390983gmail-m_2045768934910661519gmail-m_-2672837453224083416gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><span><font color="#888888"><div><span><font \
color="#888888"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div style="font-size:12.8px"><div><font color="#000000">Indunil Upeksha \
Rathnayake<br></font></div><div><span \
style="color:rgb(153,153,153);font-size:12.8px">Software Engineer | WSO2 \
Inc</span><br></div><div><span style="color:rgb(153,153,153);font-size:12.8px">Email \
<font color="#888888"><a href="mailto:indunil@wso2.com" \
target="_blank">indunil@wso2.com</a> <br></font></span></div><div><span \
style="color:rgb(153,153,153);font-size:12.8px"><font color="#888888">Mobile <a \
href="tel:077%20218%202255" value="+94772182255" \
target="_blank">0772182255</a><br></font></span></div></div></div></div></div></div></ \
div></div></div></div></font></span></div></font></span></div></div></div></div></div></div></div></div></div></div></div></div>
</div></font></span></div></div>
</blockquote></span></div><span \
class="m_2863042872523163746m_-5990265221512390983gmail-HOEnZb"><font \
color="#888888"><br><br clear="all"><br>-- <br><div \
class="m_2863042872523163746m_-5990265221512390983gmail-m_2045768934910661519gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div><div><font face="arial, sans-serif" \
color="#888888">Gayan Gunawardana<br></font><div><font face="arial, sans-serif" \
color="#888888"><span><font face="arial, sans-serif" color="#888888">Senior \
</font></span>Software Engineer; WSO2 Inc.; <a href="http://wso2.com/" \
target="_blank">http://wso2.com/</a><br></font></div>
<div><font face="arial, sans-serif" color="#888888">Email: <font color="#888888"><a \
href="mailto:gayan@wso2.com" target="_blank">gayan@wso2.com</a> \
<br></font></font></div><div><font face="arial, sans-serif" color="#888888">Mobile: \
<a value="+94719258281">+94 (71) <font \
color="#888888">8020933</font><br></a></font></div><font color="#888888"><font \
face="arial, sans-serif"> </font></font></div> </div>
</div></div></div></div>
</font></span></div></div>
</blockquote></span></div><span><br><br clear="all"><br>-- <br><div \
class="m_2863042872523163746m_-5990265221512390983gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><span><font color="#888888"><div><span><font \
color="#888888"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div style="font-size:12.8px"><div><font color="#000000">Indunil Upeksha \
Rathnayake<br></font></div><div><span \
style="color:rgb(153,153,153);font-size:12.8px">Software Engineer | WSO2 \
Inc</span><br></div><div><span style="color:rgb(153,153,153);font-size:12.8px">Email \
<font color="#888888"><a href="mailto:indunil@wso2.com" \
target="_blank">indunil@wso2.com</a> <br></font></span></div><div><span \
style="color:rgb(153,153,153);font-size:12.8px"><font color="#888888">Mobile <a \
href="tel:077%20218%202255" value="+94772182255" \
target="_blank">0772182255</a><br></font></span></div></div></div></div></div></div></ \
div></div></div></div></font></span></div></font></span></div></div></div></div></div></div></div></div></div></div></div></div>
</span></div></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span \
class="HOEnZb"><font color="#888888">-- <br><div \
class="m_2863042872523163746gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><font \
color="#000000">Thanks & \
Regards,<br>Prabath</font></div><div><br></div><div><font color="#000000">Twitter : \
@prabath<br>LinkedIn : <a href="http://www.linkedin.com/in/prabathsiriwardena" \
target="_blank">http://www.linkedin.com/in/<wbr>prabathsiriwardena</a><br><br>Mobile \
: <a href="tel:(650)%20625-7950" value="+16506257950" target="_blank">+1 650 625 \
7950</a><br><br><a href="http://facilelogin.com" \
target="_blank">http://facilelogin.com</a><br></font></div></div></div></div></div></div></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="georgia, \
serif">Regards,</font><div><font face="georgia, serif"><br></font><div><font \
face="georgia, serif"><font><b><div><b><font size="2">Darshana \
Gunawardana</font></b><br></div></b></font><span style="color:rgb(51,51,51)"><font \
size="2">Technical Lead</font></span></font></div><div><font face="georgia, \
serif"><font size="1"><span style="color:rgb(51,51,51)">WSO2 Inc.; <a \
href="http://wso2.com" target="_blank">http://wso2.com</a></span><i \
style="color:rgb(51,51,51)"><br>E-mail: <a href="mailto:darshana@wso2.com" \
target="_blank">darshana@wso2.com</a><br></i></font><i \
style="color:rgb(51,51,51)"><font size="1">Mobile: +94718566859</font><br></i><span \
style="color:rgb(51,51,51)"><font size="1">Lean . Enterprise . \
Middleware</font></span></font><br></div></div></div></div></div></div></div></div></div></div>
</div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic