Hi all,
Through the identity.xml it is possible to change the signature algorithm
for following JWT tokens
1. Access token
2. ID Token
3. UserInfoJWT
It is possible to set different types of algorithms to each of the tokens.
After a token is signed and sent to the user, they can access the JWKS
endpoint to get the public key. In our current JWKS endpoint, we only show
one key set like this
keys:
[
-
{
- kty: "RSA",
- e: "AQAB",
- use: "sig",
- kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg",
- alg: "RS256",
- n:
"hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ"
},
]
By using this keyset, the user can create the public key and validate his
token. Please refer[1] to under each element in the keyset.
Currently, we are hard-coding the value of "alg" which will be used to
decode the signature. But ideally, we should read the value from
identity.xml and expose it in the JWKS endpoint. If that the case then
which algorithm we should read from identity.xml? or Do we have to expose
different keysets for different algorithms (eg: 3 different keysets if all
of the above signature algorithms are different) ?
Reference
[1] https://tools.ietf.org/html/rfc7517#page-8
Thanks and Regards,
Kumaaran
--
*Inthirakumaaran*
Software Engineer | WSO2
E-mail:[email protected]
Mobile:+94775558050
Web:https://wso2.com
<http://wso2.com/signature>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
