[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wsf-java-dev
Subject:    [Dev]  [IS] Usage of "kid" JWT header parameter
From:       Indunil Upeksha Rathnayake <indunil () wso2 ! com>
Date:       2017-08-28 6:30:32
Message-ID: CA+zY8Gui1s5C+za1La8Z54fw=6+QikOE+Ao8HqhKSwtxGNSk0g () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,

In IS, when signing the ID token, we are passing the "kid" header parameter
in the response.
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/ \
org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L122


As per the specification (Refer [1]) :

> *The kid value is a key identifier used in identifying the key to be used
> to verify the signature.If the kid value is unknown to the RP, it needs to
> retrieve the contents of the OP's JWK Set again to obtain the OP's current
> set of keys. *
> 

We have hard coded this "kid" value in the implementation level. What
happens if the signing key is a different one than the default one?

Seems like this "kid" is like a hint to identify which specific key to be
used to validate the signature, when there are multiple keys. Is it a valid
use case in IS, since there cannot be multiple certs available in resident
IDP? And also is it correct to use a hard coded value from back-end?



This is hard coded in JwksEndpoint as well.
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/ \
org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java#L54


But in JWTTokenGenerator, we are not setting the "kid" parameter.
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/ \
org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTokenGenerator.java#L293


In which scenarios, this "kid" header parameter should be sent and should
not be sent? Recently we have implemented to sign the user info JWT
response and need to verify whether "kid" parameter should be sent there as
well.



Appreciate your ideas on above concerns.

[1] http://openid.net/specs/openid-connect-core-1_0.html


Thanks and Regards
-- 
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Email    indunil@wso2.com
Mobile   0772182255


[Attachment #5 (text/html)]

<div dir="ltr"><div>Hi,<br><br>In IS, when signing the ID token, we are passing the \
&quot;kid&quot; header parameter in the response.<br></div><a \
href="https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/compo \
nents/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconn \
ect/DefaultIDTokenBuilder.java#L122">https://github.com/wso2-extensions/identity-inbou \
nd-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/ \
wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L122</a><br><div><br>As \
per the specification (Refer [1]) :</div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div> <b>The kid value is a key identifier used in \
identifying the key to be used to verify the signature.If the kid value is unknown to \
the RP, it needs to retrieve the contents of the OP&#39;s JWK Set again to obtain the \
OP&#39;s current set of keys. </b><br></div></blockquote><div><br>We have hard coded \
this &quot;kid&quot; value in the implementation level. What happens if the signing \
key is a different one than the default one? <br></div><div><br></div><div>Seems like \
this &quot;kid&quot; is like a hint to identify which specific key to be used to \
validate the signature, when there are multiple keys. Is it a valid use case in IS, \
since there cannot be multiple certs available in resident IDP? And also is it \
correct to use a hard coded value from \
back-end?<br><br></div><div><br></div><div><br></div><div>This is hard coded in \
JwksEndpoint as well.<br><a \
href="https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/compo \
nents/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/o \
auth/endpoint/jwks/JwksEndpoint.java#L54">https://github.com/wso2-extensions/identity- \
inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.endpoint/src/ \
main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java#L54</a><br><br>But \
in JWTTokenGenerator, we are not setting the &quot;kid&quot; parameter.<br><a \
href="https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/compo \
nents/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/aut \
hcontext/JWTTokenGenerator.java#L293">https://github.com/wso2-extensions/identity-inbo \
und-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org \
/wso2/carbon/identity/oauth2/authcontext/JWTTokenGenerator.java#L293</a></div><div><br></div><div>In \
which scenarios, this &quot;kid&quot; header parameter should be sent and should not \
be sent? Recently we have implemented to sign the user info JWT response and need to \
verify whether &quot;kid&quot; parameter should be sent there as \
well.</div><div><br></div><div><br></div><div><br></div><div>Appreciate your ideas on \
above concerns.<br></div><div><br></div><div>[1] <a \
href="http://openid.net/specs/openid-connect-core-1_0.html">http://openid.net/specs/openid-connect-core-1_0.html</a></div><div><br></div><div><br \
clear="all"><div>Thanks and Regards<br></div><div>-- <br><div \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span><font \
color="#888888"><div><span><font color="#888888"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div \
style="font-size:12.8px"><div><font color="#000000">Indunil Upeksha \
Rathnayake<br></font></div><div><span \
style="color:rgb(153,153,153);font-size:12.8px">Software Engineer | WSO2 \
Inc</span><br></div><div><span style="color:rgb(153,153,153);font-size:12.8px">Email  \
<font color="#888888"><a href="mailto:indunil@wso2.com" \
target="_blank">indunil@wso2.com</a> <br></font></span></div><div><span \
style="color:rgb(153,153,153);font-size:12.8px"><font color="#888888">Mobile     \
0772182255<br></font></span></div></div></div></div></div></div></div></div></div></di \
v></font></span></div></font></span></div></div></div></div></div></div></div></div></div></div></div></div>
 </div></div></div>



_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic