On Fri, Sep 1, 2017 at 10:18 AM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote:
> Hi Gayan, > > It seems we can use [1] which contains the exact logic to generate 'kid' > value. WDYT? > According to JWS specification [1] The structure of the "kid" value is unspecified. Its value MUST be a case-sensitive string. However client should be able to obtain necessary keys by invoking jwks_uri with "kid" value. In some implementations "x5t" is used as "kid". You can find similar log in [2] as well. [1] https://tools.ietf.org/html/rfc7515#section-4.1.4 [2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/feature-OIDC-enh-5.3.x/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L414 > > [1] https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/master/components/org.wso2.carbon. > identity.oauth/src/main/java/org/wso2/carbon/identity/ > oauth2/util/OAuth2Util.java#L1568 > > Thanks, > > > > Hasanthi Dissanayake > > Software Engineer | WSO2 > > E: hasan...@wso2.com > M :0718407133| http://wso2.com <http://wso2.com/> > > On Fri, Sep 1, 2017 at 10:10 AM, Gayan Gunawardana <ga...@wso2.com> wrote: > >> In order to retrieve tenant public key to calculate kid value we can use >> same logic as in [1]. >> >> boolean isJWTSignedWithSPKey = >> OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey(); >> String tenantDomain = null; >> if(isJWTSignedWithSPKey) { >> tenantDomain = (String) >> request.getProperty(MultitenantConstants.TENANT_DOMAIN); >> } else { >> tenantDomain = >> request.getAuthorizationReqDTO().getUser().getTenantDomain(); >> } >> >> >> [1] https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/blob/master/components/org.wso2.carbon.identity. >> oauth/src/main/java/org/wso2/carbon/identity/openidconnect/ >> DefaultIDTokenBuilder.java#L434 >> >> On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana <darsh...@wso2.com >> > wrote: >> >>> Will prioritize this for IS 5.4.0. >>> >>> Thanks, >>> >>> On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena <prab...@wso2.com> >>> wrote: >>> >>>> Hope we will fix this for IS 5.4.0..? >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake < >>>> indu...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <ga...@wso2.com> >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake < >>>>>> indu...@wso2.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> In IS, when signing the ID token, we are passing the "kid" header >>>>>>> parameter in the response. >>>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src >>>>>>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT >>>>>>> okenBuilder.java#L122 >>>>>>> >>>>>>> As per the specification (Refer [1]) : >>>>>>> >>>>>>>> *The kid value is a key identifier used in identifying the key to >>>>>>>> be used to verify the signature.If the kid value is unknown to the RP, >>>>>>>> it >>>>>>>> needs to retrieve the contents of the OP's JWK Set again to obtain the >>>>>>>> OP's >>>>>>>> current set of keys. * >>>>>>>> >>>>>>> >>>>>>> We have hard coded this "kid" value in the implementation level. >>>>>>> What happens if the signing key is a different one than the default one? >>>>>>> >>>>>>> Seems like this "kid" is like a hint to identify which specific key >>>>>>> to be used to validate the signature, when there are multiple keys. Is >>>>>>> it a >>>>>>> valid use case in IS, since there cannot be multiple certs available in >>>>>>> resident IDP? And also is it correct to use a hard coded value from >>>>>>> back-end? >>>>>>> >>>>>> Having hard coded value is not correct. "kid" value should be >>>>>> generated based on certificate "thumbprint". Hard coded value would work >>>>>> for super tenant default keystore. >>>>>> >>>>> >>>>> Thanks. I have created a public JIRA in [1] to handle this. >>>>> >>>>> [1] https://wso2.org/jira/browse/IDENTITY-6311 >>>>> >>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> This is hard coded in JwksEndpoint as well. >>>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth.end >>>>>>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint/ >>>>>>> jwks/JwksEndpoint.java#L54 >>>>>>> >>>>>>> But in JWTTokenGenerator, we are not setting the "kid" parameter. >>>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src >>>>>>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo >>>>>>> kenGenerator.java#L293 >>>>>>> >>>>>>> In which scenarios, this "kid" header parameter should be sent and >>>>>>> should not be sent? Recently we have implemented to sign the user info >>>>>>> JWT >>>>>>> response and need to verify whether "kid" parameter should be sent >>>>>>> there as >>>>>>> well. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Appreciate your ideas on above concerns. >>>>>>> >>>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html >>>>>>> >>>>>>> >>>>>>> Thanks and Regards >>>>>>> -- >>>>>>> Indunil Upeksha Rathnayake >>>>>>> Software Engineer | WSO2 Inc >>>>>>> Email indu...@wso2.com >>>>>>> Mobile 0772182255 <077%20218%202255> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Gayan Gunawardana >>>>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>> Email: ga...@wso2.com >>>>>> Mobile: +94 (71) 8020933 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Indunil Upeksha Rathnayake >>>>> Software Engineer | WSO2 Inc >>>>> Email indu...@wso2.com >>>>> Mobile 0772182255 <077%20218%202255> >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Twitter : @prabath >>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>>> >>>> Mobile : +1 650 625 7950 <%28650%29%20625-7950> >>>> >>>> http://facilelogin.com >>>> >>> >>> >>> >>> -- >>> Regards, >>> >>> >>> *Darshana Gunawardana*Technical Lead >>> WSO2 Inc.; http://wso2.com >>> >>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >>> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . >>> Middleware >>> >> >> >> >> -- >> Gayan Gunawardana >> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: ga...@wso2.com >> Mobile: +94 (71) 8020933 >> > > -- Gayan Gunawardana Senior Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
