Hope we will fix this for IS 5.4.0..? Thanks & regards, -Prabath
On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake < indu...@wso2.com> wrote: > Hi, > > On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <ga...@wso2.com> > wrote: > >> >> >> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi, >>> >>> In IS, when signing the ID token, we are passing the "kid" header >>> parameter in the response. >>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>> th/blob/master/components/org.wso2.carbon.identity.oauth/ >>> src/main/java/org/wso2/carbon/identity/openidconnect/Default >>> IDTokenBuilder.java#L122 >>> >>> As per the specification (Refer [1]) : >>> >>>> *The kid value is a key identifier used in identifying the key to be >>>> used to verify the signature.If the kid value is unknown to the RP, it >>>> needs to retrieve the contents of the OP's JWK Set again to obtain the OP's >>>> current set of keys. * >>>> >>> >>> We have hard coded this "kid" value in the implementation level. What >>> happens if the signing key is a different one than the default one? >>> >>> Seems like this "kid" is like a hint to identify which specific key to >>> be used to validate the signature, when there are multiple keys. Is it a >>> valid use case in IS, since there cannot be multiple certs available in >>> resident IDP? And also is it correct to use a hard coded value from >>> back-end? >>> >> Having hard coded value is not correct. "kid" value should be generated >> based on certificate "thumbprint". Hard coded value would work for super >> tenant default keystore. >> > > Thanks. I have created a public JIRA in [1] to handle this. > > [1] https://wso2.org/jira/browse/IDENTITY-6311 > > >> >>> >>> >>> >>> This is hard coded in JwksEndpoint as well. >>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>> th/blob/master/components/org.wso2.carbon.identity.oauth. >>> endpoint/src/main/java/org/wso2/carbon/identity/oauth/ >>> endpoint/jwks/JwksEndpoint.java#L54 >>> >>> But in JWTTokenGenerator, we are not setting the "kid" parameter. >>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>> th/blob/master/components/org.wso2.carbon.identity.oauth/ >>> src/main/java/org/wso2/carbon/identity/oauth2/authcontext/ >>> JWTTokenGenerator.java#L293 >>> >>> In which scenarios, this "kid" header parameter should be sent and >>> should not be sent? Recently we have implemented to sign the user info JWT >>> response and need to verify whether "kid" parameter should be sent there as >>> well. >>> >>> >>> >>> Appreciate your ideas on above concerns. >>> >>> [1] http://openid.net/specs/openid-connect-core-1_0.html >>> >>> >>> Thanks and Regards >>> -- >>> Indunil Upeksha Rathnayake >>> Software Engineer | WSO2 Inc >>> Email indu...@wso2.com >>> Mobile 0772182255 <077%20218%202255> >>> >> >> >> >> -- >> Gayan Gunawardana >> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: ga...@wso2.com >> Mobile: +94 (71) 8020933 >> > > > > -- > Indunil Upeksha Rathnayake > Software Engineer | WSO2 Inc > Email indu...@wso2.com > Mobile 0772182255 <077%20218%202255> > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev