Will prioritize this for IS 5.4.0. Thanks,
On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena <prab...@wso2.com> wrote: > Hope we will fix this for IS 5.4.0..? > > Thanks & regards, > -Prabath > > On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi, >> >> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <ga...@wso2.com> >> wrote: >> >>> >>> >>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake < >>> indu...@wso2.com> wrote: >>> >>>> Hi, >>>> >>>> In IS, when signing the ID token, we are passing the "kid" header >>>> parameter in the response. >>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src >>>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT >>>> okenBuilder.java#L122 >>>> >>>> As per the specification (Refer [1]) : >>>> >>>>> *The kid value is a key identifier used in identifying the key to be >>>>> used to verify the signature.If the kid value is unknown to the RP, it >>>>> needs to retrieve the contents of the OP's JWK Set again to obtain the >>>>> OP's >>>>> current set of keys. * >>>>> >>>> >>>> We have hard coded this "kid" value in the implementation level. What >>>> happens if the signing key is a different one than the default one? >>>> >>>> Seems like this "kid" is like a hint to identify which specific key to >>>> be used to validate the signature, when there are multiple keys. Is it a >>>> valid use case in IS, since there cannot be multiple certs available in >>>> resident IDP? And also is it correct to use a hard coded value from >>>> back-end? >>>> >>> Having hard coded value is not correct. "kid" value should be generated >>> based on certificate "thumbprint". Hard coded value would work for super >>> tenant default keystore. >>> >> >> Thanks. I have created a public JIRA in [1] to handle this. >> >> [1] https://wso2.org/jira/browse/IDENTITY-6311 >> >> >>> >>>> >>>> >>>> >>>> This is hard coded in JwksEndpoint as well. >>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>> th/blob/master/components/org.wso2.carbon.identity.oauth.end >>>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint >>>> /jwks/JwksEndpoint.java#L54 >>>> >>>> But in JWTTokenGenerator, we are not setting the "kid" parameter. >>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src >>>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo >>>> kenGenerator.java#L293 >>>> >>>> In which scenarios, this "kid" header parameter should be sent and >>>> should not be sent? Recently we have implemented to sign the user info JWT >>>> response and need to verify whether "kid" parameter should be sent there as >>>> well. >>>> >>>> >>>> >>>> Appreciate your ideas on above concerns. >>>> >>>> [1] http://openid.net/specs/openid-connect-core-1_0.html >>>> >>>> >>>> Thanks and Regards >>>> -- >>>> Indunil Upeksha Rathnayake >>>> Software Engineer | WSO2 Inc >>>> Email indu...@wso2.com >>>> Mobile 0772182255 <077%20218%202255> >>>> >>> >>> >>> >>> -- >>> Gayan Gunawardana >>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: ga...@wso2.com >>> Mobile: +94 (71) 8020933 >>> >> >> >> >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Email indu...@wso2.com >> Mobile 0772182255 <077%20218%202255> >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 <(650)%20625-7950> > > http://facilelogin.com > -- Regards, *Darshana Gunawardana*Technical Lead WSO2 Inc.; http://wso2.com *E-mail: darsh...@wso2.com <darsh...@wso2.com>* *Mobile: +94718566859*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
