Hi Farasath, Shouldn't this restriction per SP(client)? > Since jti is an identifier string, what happens if two different SPs send > two different JWTs with the same jti? >
As it is the same token end point which will issue the JWT, we did not think to restrict this for per SP. So we have prevented to use the same JTI even for the different SPs. Thanks, Hasanthi On Sat, Jan 6, 2018 at 8:48 AM, Farasath Ahamed <[email protected]> wrote: > > > On Friday, January 5, 2018, Hasanthi Purnima Dissanayake < > [email protected]> wrote: > >> Hi Isura/Omindu, >> >> Which data are supposed to store in IDN_JWT_PRIVATE_KEY table? What is >>> the reason to store those data? >>> >> >> In the patch that we have provided for 5.3.0 , this table contains >> following fields. >> JWT_ID (primary key) >> EXP_TIME >> TIME_CREATED >> >> JWT_ID is an unique identifier for the token. According to the spec this >> token should not be reused. So JWT_ID is responsible for prevent re-use of >> this token. Hence we need to store the JWT_ID. Based on the EXP_TIME we >> have planned to clean the records. The spec is bit flexible on re-using >> the token. So once the token is expired we let the same JWT_ID to be >> re-used. >> > > Shouldn't this restriction per SP(client)? > Since jti is an identifier string, what happens if two different SPs send > two different JWTs with the same jti? > > >> >> >> jtiREQUIRED. JWT ID. A unique identifier for the token, which can be >> used to prevent reuse of the token. These tokens MUST only be used once, >> unless conditions for reuse were negotiated between the parties; any such >> negotiation is beyond the scope of this specification. >> >> >> If we are storing private keys in the table, make sure the content is >>> encrypted to avoid security concerns. >> >> >> Actually we don't store private keys here. Anyway the table name is bit >> misleading. So shall we re-name the table as IDN_OIDC_JTI? >> >> >> Thanks, >> >> On Fri, Jan 5, 2018 at 7:49 AM, Isura Karunaratne <[email protected]> wrote: >> >>> Hi Hasanthi, >>> >>> On Thu, Jan 4, 2018 at 4:32 PM, Hasanthi Purnima Dissanayake < >>> [email protected]> wrote: >>> >>>> Hi All, >>>> >>>> Following tasks are identified for the implementation for the $subject. >>>> >>>> 1. Move the logic of validating the token API invocation request to >>>> validate required parameters for JWT client authentication to >>>> PrivatekeyJWTClientAuthHandler >>>> 2. Introduce a new interface to read the public certificate. >>>> - Certificate can be read from keystore >>>> - Certificate can be read from db >>>> - Certificate can be read from any other means >>>> 3. Data which will be persisted in IDN_JWT_PRIVATE_KEY can be grown >>>> rapidly which may cause to some performance issues. So need to implement a >>>> cleanup script based on the expiration time of the JWT. >>>> >>> >>> Which data are supposed to store in IDN_JWT_PRIVATE_KEY table? What is >>> the reason to store those data? >>> >>> Thanks >>> Isura. >>> >>>> 4. Honour the UI configuration for confidential applications which is >>>> discussed in mail [1] >>>> >>>> Apart from above need to consider on following tasks: >>>> 1. Improving the unit tests of the repository >>>> 2. Improve the documentations for the $subject. >>>> >>>> >>>> [1] Confidential Aplications in OAuth2 Flow >>>> >>>> Thanks, >>>> -- >>>> >>>> Hasanthi Dissanayake >>>> >>>> Senior Software Engineer | WSO2 >>>> >>>> E: [email protected] >>>> M :0718407133| http://wso2.com <http://wso2.com/> >>>> >>> >>> >>> >>> -- >>> >>> *Isura Dilhara Karunaratne* >>> Associate Technical Lead | WSO2 >>> Email: [email protected] >>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>> Blog : http://isurad.blogspot.com/ >>> >>> >>> >>> >> >> >> -- >> >> Hasanthi Dissanayake >> >> Senior Software Engineer | WSO2 >> >> E: [email protected] >> M :0718407133| http://wso2.com <http://wso2.com/> >> > > > -- > Farasath Ahamed > Senior Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > > -- Hasanthi Dissanayake Senior Software Engineer | WSO2 E: [email protected] M :0718407133| http://wso2.com <http://wso2.com/>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
