Re: [Dev] [IS] Usage of "kid" JWT header parameter

2017-09-01 Thread Gayan Gunawardana
On Fri, Sep 1, 2017 at 10:18 AM, Hasanthi Purnima Dissanayake <
hasan...@wso2.com> wrote:

> Hi Gayan,
>
> It seems we can use [1] which contains the exact logic to generate 'kid'
> value. WDYT?
>
According to JWS specification [1]

The structure of the "kid" value is unspecified. Its value MUST be a
case-sensitive string.

However client should be able to obtain necessary keys by invoking jwks_uri
with "kid" value. In some implementations "x5t" is used as "kid".

You can find similar log in [2] as well.


[1] https://tools.ietf.org/html/rfc7515#section-4.1.4
[2]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/feature-OIDC-enh-5.3.x/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L414

>
> [1] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/
> oauth2/util/OAuth2Util.java#L1568
>
> Thanks,
>
>
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: hasan...@wso2.com
> M :0718407133| http://wso2.com 
>
> On Fri, Sep 1, 2017 at 10:10 AM, Gayan Gunawardana  wrote:
>
>> In order to retrieve tenant public key to calculate kid value we can use
>> same logic as in [1].
>>
>> boolean isJWTSignedWithSPKey = 
>> OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey();
>> String tenantDomain = null;
>> if(isJWTSignedWithSPKey) {
>> tenantDomain = (String) 
>> request.getProperty(MultitenantConstants.TENANT_DOMAIN);
>> } else {
>> tenantDomain = 
>> request.getAuthorizationReqDTO().getUser().getTenantDomain();
>> }
>>
>>
>> [1] https://github.com/wso2-extensions/identity-inbound-auth-
>> oauth/blob/master/components/org.wso2.carbon.identity.
>> oauth/src/main/java/org/wso2/carbon/identity/openidconnect/
>> DefaultIDTokenBuilder.java#L434
>>
>> On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana > > wrote:
>>
>>> Will prioritize this for IS 5.4.0.
>>>
>>> Thanks,
>>>
>>> On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena 
>>> wrote:
>>>
 Hope we will fix this for IS 5.4.0..?

 Thanks & regards,
 -Prabath

 On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
 indu...@wso2.com> wrote:

> Hi,
>
> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana 
> wrote:
>
>>
>>
>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> In IS, when signing the ID token, we are passing the "kid" header
>>> parameter in the response.
>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT
>>> okenBuilder.java#L122
>>>
>>> As per the specification (Refer [1]) :
>>>
 *The kid value is a key identifier used in identifying the key to
 be used to verify the signature.If the kid value is unknown to the RP, 
 it
 needs to retrieve the contents of the OP's JWK Set again to obtain the 
 OP's
 current set of keys. *

>>>
>>> We have hard coded this "kid" value in the implementation level.
>>> What happens if the signing key is a different one than the default one?
>>>
>>> Seems like this "kid" is like a hint to identify which specific key
>>> to be used to validate the signature, when there are multiple keys. Is 
>>> it a
>>> valid use case in IS, since there cannot be multiple certs available in
>>> resident IDP? And also is it correct to use a hard coded value from
>>> back-end?
>>>
>> Having hard coded value is not correct. "kid" value should be
>> generated based on certificate "thumbprint". Hard coded value would work
>> for super tenant default keystore.
>>
>
> Thanks. I have created a public JIRA in [1] to handle this.
>
> [1] https://wso2.org/jira/browse/IDENTITY-6311
>
>
>>
>>>
>>>
>>>
>>> This is hard coded in JwksEndpoint as well.
>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>> th/blob/master/components/org.wso2.carbon.identity.oauth.end
>>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint/
>>> jwks/JwksEndpoint.java#L54
>>>
>>> But in JWTTokenGenerator, we are not setting the "kid" parameter.
>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo
>>> kenGenerator.java#L293
>>>
>>> In which scenarios, this "kid" header parameter should be sent and
>>> should not be sent? Recently we have implemented to sign the user info 
>>> JWT
>>> response and need to verify whether "kid" parameter should be

Re: [Dev] [IS] Usage of "kid" JWT header parameter

2017-08-31 Thread Hasanthi Purnima Dissanayake
Hi Gayan,

It seems we can use [1] which contains the exact logic to generate 'kid'
value. WDYT?

[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L1568

Thanks,



Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Fri, Sep 1, 2017 at 10:10 AM, Gayan Gunawardana  wrote:

> In order to retrieve tenant public key to calculate kid value we can use
> same logic as in [1].
>
> boolean isJWTSignedWithSPKey = 
> OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey();
> String tenantDomain = null;
> if(isJWTSignedWithSPKey) {
> tenantDomain = (String) 
> request.getProperty(MultitenantConstants.TENANT_DOMAIN);
> } else {
> tenantDomain = 
> request.getAuthorizationReqDTO().getUser().getTenantDomain();
> }
>
>
> [1] https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/
> DefaultIDTokenBuilder.java#L434
>
> On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana 
> wrote:
>
>> Will prioritize this for IS 5.4.0.
>>
>> Thanks,
>>
>> On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena 
>> wrote:
>>
>>> Hope we will fix this for IS 5.4.0..?
>>>
>>> Thanks & regards,
>>> -Prabath
>>>
>>> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
>>> indu...@wso2.com> wrote:
>>>
 Hi,

 On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana 
 wrote:

>
>
> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> In IS, when signing the ID token, we are passing the "kid" header
>> parameter in the response.
>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT
>> okenBuilder.java#L122
>>
>> As per the specification (Refer [1]) :
>>
>>> *The kid value is a key identifier used in identifying the key to be
>>> used to verify the signature.If the kid value is unknown to the RP, it
>>> needs to retrieve the contents of the OP's JWK Set again to obtain the 
>>> OP's
>>> current set of keys. *
>>>
>>
>> We have hard coded this "kid" value in the implementation level. What
>> happens if the signing key is a different one than the default one?
>>
>> Seems like this "kid" is like a hint to identify which specific key
>> to be used to validate the signature, when there are multiple keys. Is 
>> it a
>> valid use case in IS, since there cannot be multiple certs available in
>> resident IDP? And also is it correct to use a hard coded value from
>> back-end?
>>
> Having hard coded value is not correct. "kid" value should be
> generated based on certificate "thumbprint". Hard coded value would work
> for super tenant default keystore.
>

 Thanks. I have created a public JIRA in [1] to handle this.

 [1] https://wso2.org/jira/browse/IDENTITY-6311


>
>>
>>
>>
>> This is hard coded in JwksEndpoint as well.
>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>> th/blob/master/components/org.wso2.carbon.identity.oauth.end
>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint/
>> jwks/JwksEndpoint.java#L54
>>
>> But in JWTTokenGenerator, we are not setting the "kid" parameter.
>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo
>> kenGenerator.java#L293
>>
>> In which scenarios, this "kid" header parameter should be sent and
>> should not be sent? Recently we have implemented to sign the user info 
>> JWT
>> response and need to verify whether "kid" parameter should be sent there 
>> as
>> well.
>>
>>
>>
>> Appreciate your ideas on above concerns.
>>
>> [1] http://openid.net/specs/openid-connect-core-1_0.html
>>
>>
>> Thanks and Regards
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>> Mobile   0772182255 <077%20218%202255>
>>
>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>



 --
 Indunil Upeksha Rathnayake
 Software Engineer | WSO2 Inc
 Emailindu...@wso2.com
 Mobile   0772182255 <077%20218%202255>

>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>> Prabath
>>>
>>> Twitter : @prabath
>>> LinkedIn : http://www.linkedi

Re: [Dev] [IS] Usage of "kid" JWT header parameter

2017-08-31 Thread Gayan Gunawardana
In order to retrieve tenant public key to calculate kid value we can use
same logic as in [1].

boolean isJWTSignedWithSPKey =
OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey();
String tenantDomain = null;
if(isJWTSignedWithSPKey) {
tenantDomain = (String)
request.getProperty(MultitenantConstants.TENANT_DOMAIN);
} else {
tenantDomain = request.getAuthorizationReqDTO().getUser().getTenantDomain();
}


[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L434

On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana 
wrote:

> Will prioritize this for IS 5.4.0.
>
> Thanks,
>
> On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena 
> wrote:
>
>> Hope we will fix this for IS 5.4.0..?
>>
>> Thanks & regards,
>> -Prabath
>>
>> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana 
>>> wrote:
>>>


 On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
 indu...@wso2.com> wrote:

> Hi,
>
> In IS, when signing the ID token, we are passing the "kid" header
> parameter in the response.
> https://github.com/wso2-extensions/identity-inbound-auth-oau
> th/blob/master/components/org.wso2.carbon.identity.oauth/src
> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT
> okenBuilder.java#L122
>
> As per the specification (Refer [1]) :
>
>> *The kid value is a key identifier used in identifying the key to be
>> used to verify the signature.If the kid value is unknown to the RP, it
>> needs to retrieve the contents of the OP's JWK Set again to obtain the 
>> OP's
>> current set of keys. *
>>
>
> We have hard coded this "kid" value in the implementation level. What
> happens if the signing key is a different one than the default one?
>
> Seems like this "kid" is like a hint to identify which specific key to
> be used to validate the signature, when there are multiple keys. Is it a
> valid use case in IS, since there cannot be multiple certs available in
> resident IDP? And also is it correct to use a hard coded value from
> back-end?
>
 Having hard coded value is not correct. "kid" value should be generated
 based on certificate "thumbprint". Hard coded value would work for super
 tenant default keystore.

>>>
>>> Thanks. I have created a public JIRA in [1] to handle this.
>>>
>>> [1] https://wso2.org/jira/browse/IDENTITY-6311
>>>
>>>

>
>
>
> This is hard coded in JwksEndpoint as well.
> https://github.com/wso2-extensions/identity-inbound-auth-oau
> th/blob/master/components/org.wso2.carbon.identity.oauth.end
> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint/
> jwks/JwksEndpoint.java#L54
>
> But in JWTTokenGenerator, we are not setting the "kid" parameter.
> https://github.com/wso2-extensions/identity-inbound-auth-oau
> th/blob/master/components/org.wso2.carbon.identity.oauth/src
> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo
> kenGenerator.java#L293
>
> In which scenarios, this "kid" header parameter should be sent and
> should not be sent? Recently we have implemented to sign the user info JWT
> response and need to verify whether "kid" parameter should be sent there 
> as
> well.
>
>
>
> Appreciate your ideas on above concerns.
>
> [1] http://openid.net/specs/openid-connect-core-1_0.html
>
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255 <077%20218%202255>
>



 --
 Gayan Gunawardana
 Senior Software Engineer; WSO2 Inc.; http://wso2.com/
 Email: ga...@wso2.com
 Mobile: +94 (71) 8020933

>>>
>>>
>>>
>>> --
>>> Indunil Upeksha Rathnayake
>>> Software Engineer | WSO2 Inc
>>> Emailindu...@wso2.com
>>> Mobile   0772182255 <077%20218%202255>
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Twitter : @prabath
>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>
>> Mobile : +1 650 625 7950 <(650)%20625-7950>
>>
>> http://facilelogin.com
>>
>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com *
> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
> Middleware
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] [IS] Usage of "kid" JWT header parameter

2017-08-31 Thread Darshana Gunawardana
Will prioritize this for IS 5.4.0.

Thanks,

On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena 
wrote:

> Hope we will fix this for IS 5.4.0..?
>
> Thanks & regards,
> -Prabath
>
> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana 
>> wrote:
>>
>>>
>>>
>>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
>>> indu...@wso2.com> wrote:
>>>
 Hi,

 In IS, when signing the ID token, we are passing the "kid" header
 parameter in the response.
 https://github.com/wso2-extensions/identity-inbound-auth-oau
 th/blob/master/components/org.wso2.carbon.identity.oauth/src
 /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT
 okenBuilder.java#L122

 As per the specification (Refer [1]) :

> *The kid value is a key identifier used in identifying the key to be
> used to verify the signature.If the kid value is unknown to the RP, it
> needs to retrieve the contents of the OP's JWK Set again to obtain the 
> OP's
> current set of keys. *
>

 We have hard coded this "kid" value in the implementation level. What
 happens if the signing key is a different one than the default one?

 Seems like this "kid" is like a hint to identify which specific key to
 be used to validate the signature, when there are multiple keys. Is it a
 valid use case in IS, since there cannot be multiple certs available in
 resident IDP? And also is it correct to use a hard coded value from
 back-end?

>>> Having hard coded value is not correct. "kid" value should be generated
>>> based on certificate "thumbprint". Hard coded value would work for super
>>> tenant default keystore.
>>>
>>
>> Thanks. I have created a public JIRA in [1] to handle this.
>>
>> [1] https://wso2.org/jira/browse/IDENTITY-6311
>>
>>
>>>



 This is hard coded in JwksEndpoint as well.
 https://github.com/wso2-extensions/identity-inbound-auth-oau
 th/blob/master/components/org.wso2.carbon.identity.oauth.end
 point/src/main/java/org/wso2/carbon/identity/oauth/endpoint
 /jwks/JwksEndpoint.java#L54

 But in JWTTokenGenerator, we are not setting the "kid" parameter.
 https://github.com/wso2-extensions/identity-inbound-auth-oau
 th/blob/master/components/org.wso2.carbon.identity.oauth/src
 /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo
 kenGenerator.java#L293

 In which scenarios, this "kid" header parameter should be sent and
 should not be sent? Recently we have implemented to sign the user info JWT
 response and need to verify whether "kid" parameter should be sent there as
 well.



 Appreciate your ideas on above concerns.

 [1] http://openid.net/specs/openid-connect-core-1_0.html


 Thanks and Regards
 --
 Indunil Upeksha Rathnayake
 Software Engineer | WSO2 Inc
 Emailindu...@wso2.com
 Mobile   0772182255 <077%20218%202255>

>>>
>>>
>>>
>>> --
>>> Gayan Gunawardana
>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: ga...@wso2.com
>>> Mobile: +94 (71) 8020933
>>>
>>
>>
>>
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>> Mobile   0772182255 <077%20218%202255>
>>
>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +1 650 625 7950 <(650)%20625-7950>
>
> http://facilelogin.com
>



-- 
Regards,


*Darshana Gunawardana*Technical Lead
WSO2 Inc.; http://wso2.com

*E-mail: darsh...@wso2.com *
*Mobile: +94718566859*Lean . Enterprise . Middleware
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] [IS] Usage of "kid" JWT header parameter

2017-08-29 Thread Prabath Siriwardena
Hope we will fix this for IS 5.4.0..?

Thanks & regards,
-Prabath

On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana 
> wrote:
>
>>
>>
>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> In IS, when signing the ID token, we are passing the "kid" header
>>> parameter in the response.
>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>> th/blob/master/components/org.wso2.carbon.identity.oauth/
>>> src/main/java/org/wso2/carbon/identity/openidconnect/Default
>>> IDTokenBuilder.java#L122
>>>
>>> As per the specification (Refer [1]) :
>>>
 *The kid value is a key identifier used in identifying the key to be
 used to verify the signature.If the kid value is unknown to the RP, it
 needs to retrieve the contents of the OP's JWK Set again to obtain the OP's
 current set of keys. *

>>>
>>> We have hard coded this "kid" value in the implementation level. What
>>> happens if the signing key is a different one than the default one?
>>>
>>> Seems like this "kid" is like a hint to identify which specific key to
>>> be used to validate the signature, when there are multiple keys. Is it a
>>> valid use case in IS, since there cannot be multiple certs available in
>>> resident IDP? And also is it correct to use a hard coded value from
>>> back-end?
>>>
>> Having hard coded value is not correct. "kid" value should be generated
>> based on certificate "thumbprint". Hard coded value would work for super
>> tenant default keystore.
>>
>
> Thanks. I have created a public JIRA in [1] to handle this.
>
> [1] https://wso2.org/jira/browse/IDENTITY-6311
>
>
>>
>>>
>>>
>>>
>>> This is hard coded in JwksEndpoint as well.
>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>> th/blob/master/components/org.wso2.carbon.identity.oauth.
>>> endpoint/src/main/java/org/wso2/carbon/identity/oauth/
>>> endpoint/jwks/JwksEndpoint.java#L54
>>>
>>> But in JWTTokenGenerator, we are not setting the "kid" parameter.
>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>> th/blob/master/components/org.wso2.carbon.identity.oauth/
>>> src/main/java/org/wso2/carbon/identity/oauth2/authcontext/
>>> JWTTokenGenerator.java#L293
>>>
>>> In which scenarios, this "kid" header parameter should be sent and
>>> should not be sent? Recently we have implemented to sign the user info JWT
>>> response and need to verify whether "kid" parameter should be sent there as
>>> well.
>>>
>>>
>>>
>>> Appreciate your ideas on above concerns.
>>>
>>> [1] http://openid.net/specs/openid-connect-core-1_0.html
>>>
>>>
>>> Thanks and Regards
>>> --
>>> Indunil Upeksha Rathnayake
>>> Software Engineer | WSO2 Inc
>>> Emailindu...@wso2.com
>>> Mobile   0772182255 <077%20218%202255>
>>>
>>
>>
>>
>> --
>> Gayan Gunawardana
>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: ga...@wso2.com
>> Mobile: +94 (71) 8020933
>>
>
>
>
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255 <077%20218%202255>
>



-- 
Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +1 650 625 7950

http://facilelogin.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] [IS] Usage of "kid" JWT header parameter

2017-08-29 Thread Indunil Upeksha Rathnayake
Hi,

On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana  wrote:

>
>
> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>>
>> In IS, when signing the ID token, we are passing the "kid" header
>> parameter in the response.
>> https://github.com/wso2-extensions/identity-inbound-auth-
>> oauth/blob/master/components/org.wso2.carbon.identity.
>> oauth/src/main/java/org/wso2/carbon/identity/openidconnect/
>> DefaultIDTokenBuilder.java#L122
>>
>> As per the specification (Refer [1]) :
>>
>>> *The kid value is a key identifier used in identifying the key to be
>>> used to verify the signature.If the kid value is unknown to the RP, it
>>> needs to retrieve the contents of the OP's JWK Set again to obtain the OP's
>>> current set of keys. *
>>>
>>
>> We have hard coded this "kid" value in the implementation level. What
>> happens if the signing key is a different one than the default one?
>>
>> Seems like this "kid" is like a hint to identify which specific key to be
>> used to validate the signature, when there are multiple keys. Is it a valid
>> use case in IS, since there cannot be multiple certs available in resident
>> IDP? And also is it correct to use a hard coded value from back-end?
>>
> Having hard coded value is not correct. "kid" value should be generated
> based on certificate "thumbprint". Hard coded value would work for super
> tenant default keystore.
>

Thanks. I have created a public JIRA in [1] to handle this.

[1] https://wso2.org/jira/browse/IDENTITY-6311


>
>>
>>
>>
>> This is hard coded in JwksEndpoint as well.
>> https://github.com/wso2-extensions/identity-inbound-auth-
>> oauth/blob/master/components/org.wso2.carbon.identity.
>> oauth.endpoint/src/main/java/org/wso2/carbon/identity/
>> oauth/endpoint/jwks/JwksEndpoint.java#L54
>>
>> But in JWTTokenGenerator, we are not setting the "kid" parameter.
>> https://github.com/wso2-extensions/identity-inbound-auth-
>> oauth/blob/master/components/org.wso2.carbon.identity.
>> oauth/src/main/java/org/wso2/carbon/identity/oauth2/
>> authcontext/JWTTokenGenerator.java#L293
>>
>> In which scenarios, this "kid" header parameter should be sent and should
>> not be sent? Recently we have implemented to sign the user info JWT
>> response and need to verify whether "kid" parameter should be sent there as
>> well.
>>
>>
>>
>> Appreciate your ideas on above concerns.
>>
>> [1] http://openid.net/specs/openid-connect-core-1_0.html
>>
>>
>> Thanks and Regards
>> --
>> Indunil Upeksha Rathnayake
>> Software Engineer | WSO2 Inc
>> Emailindu...@wso2.com
>> Mobile   0772182255
>>
>
>
>
> --
> Gayan Gunawardana
> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: ga...@wso2.com
> Mobile: +94 (71) 8020933
>



-- 
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile   0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] [IS] Usage of "kid" JWT header parameter

2017-08-27 Thread Gayan Gunawardana
On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> In IS, when signing the ID token, we are passing the "kid" header
> parameter in the response.
> https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/
> DefaultIDTokenBuilder.java#L122
>
> As per the specification (Refer [1]) :
>
>> *The kid value is a key identifier used in identifying the key to be used
>> to verify the signature.If the kid value is unknown to the RP, it needs to
>> retrieve the contents of the OP's JWK Set again to obtain the OP's current
>> set of keys. *
>>
>
> We have hard coded this "kid" value in the implementation level. What
> happens if the signing key is a different one than the default one?
>
> Seems like this "kid" is like a hint to identify which specific key to be
> used to validate the signature, when there are multiple keys. Is it a valid
> use case in IS, since there cannot be multiple certs available in resident
> IDP? And also is it correct to use a hard coded value from back-end?
>
Having hard coded value is not correct. "kid" value should be generated
based on certificate "thumbprint". Hard coded value would work for super
tenant default keystore.


>
>
>
> This is hard coded in JwksEndpoint as well.
> https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth.endpoint/src/main/java/org/wso2/carbon/
> identity/oauth/endpoint/jwks/JwksEndpoint.java#L54
>
> But in JWTTokenGenerator, we are not setting the "kid" parameter.
> https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/blob/master/components/org.wso2.carbon.
> identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authcontext/
> JWTTokenGenerator.java#L293
>
> In which scenarios, this "kid" header parameter should be sent and should
> not be sent? Recently we have implemented to sign the user info JWT
> response and need to verify whether "kid" parameter should be sent there as
> well.
>
>
>
> Appreciate your ideas on above concerns.
>
> [1] http://openid.net/specs/openid-connect-core-1_0.html
>
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Emailindu...@wso2.com
> Mobile   0772182255
>



-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


[Dev] [IS] Usage of "kid" JWT header parameter

2017-08-27 Thread Indunil Upeksha Rathnayake
Hi,

In IS, when signing the ID token, we are passing the "kid" header parameter
in the response.
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L122

As per the specification (Refer [1]) :

> *The kid value is a key identifier used in identifying the key to be used
> to verify the signature.If the kid value is unknown to the RP, it needs to
> retrieve the contents of the OP's JWK Set again to obtain the OP's current
> set of keys. *
>

We have hard coded this "kid" value in the implementation level. What
happens if the signing key is a different one than the default one?

Seems like this "kid" is like a hint to identify which specific key to be
used to validate the signature, when there are multiple keys. Is it a valid
use case in IS, since there cannot be multiple certs available in resident
IDP? And also is it correct to use a hard coded value from back-end?



This is hard coded in JwksEndpoint as well.
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java#L54

But in JWTTokenGenerator, we are not setting the "kid" parameter.
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTokenGenerator.java#L293

In which scenarios, this "kid" header parameter should be sent and should
not be sent? Recently we have implemented to sign the user info JWT
response and need to verify whether "kid" parameter should be sent there as
well.



Appreciate your ideas on above concerns.

[1] http://openid.net/specs/openid-connect-core-1_0.html


Thanks and Regards
-- 
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile   0772182255
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev