Tim,
>> Start at https://accounts.google.com/.well-known/openid-configuration >> >> Hope it works... > Looks good. I added this to the interop info at > http://osis.idcommons.net/wiki/OC5:Google_Deployment. Actually it look bad. That configuration includes "jwks_uri": "https://www.googleapis.com/oauth2/v2/certs";, That JWK has two key. Calling raw keys “certs” is a curious choice. Both keys are wrong. They are 1024-bit RSA keys. The JWA spec says they MUST be 2048-bit or larger. The "n" members (modulus) are base64-encoded, when they should be base64url-encoded. Note the presence of / and +. They also start (after base64-decoding) with a leading 0x00 byte, whereas the spec says "n" is unsigned and “MUST utilize the minimum number of octets to represent the value”. There should be 1024/6=171 b64 chars, instead of (8+1024)/6=172. http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-23#section-6.3.1.1 https://www.googleapis.com/oauth2/v2/certs: { "keys": [ { "kty": "RSA", "alg": "RS256", "use": "sig", "kid": "36239103c08ce207082b721dfbc80bc8d800bff2", "n": "AKunY03zz/oJonovVNJjnjscjScnqtdtMEmnExJShJkoh8KjyHtH+TAldA7jrpQHDJnX81IxbkmH1JQMkgSKN4qVvJTqvA9RQFc6phN+7HU4JfPfpkYb3Jbnl35w4CXJkZoyXucAj4qw87szAgt2WBLrFoT08PjONmii5cmFR6BT", "e": "AQAB" }, { "kty": "RSA", "alg": "RS256", "use": "sig", "kid": "7e18e2970941338884c88f2e789d7d8c519cd919", "n": "ALjEqP0OUMivrQUIPj39+ckmE3KBtDDNdJZLCxFRGT2gUETsbc/x+zUit5xvKWN4DbSlVCwHdvIQcEgTdG+HZTrCoPDkoiOW+DxX4j+IkpiS1hy3YL9gHbBD4J75dGGRTfavZ77fu4E0/a/3s22rOda21ZQlUhlUZtyUxUGpxxSj", "e": "AQAB" } ] } -- James Manger
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
