Hi, In IS, when signing the ID token, we are passing the "kid" header parameter in the response. https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L122
As per the specification (Refer [1]) : > *The kid value is a key identifier used in identifying the key to be used > to verify the signature.If the kid value is unknown to the RP, it needs to > retrieve the contents of the OP's JWK Set again to obtain the OP's current > set of keys. * > We have hard coded this "kid" value in the implementation level. What happens if the signing key is a different one than the default one? Seems like this "kid" is like a hint to identify which specific key to be used to validate the signature, when there are multiple keys. Is it a valid use case in IS, since there cannot be multiple certs available in resident IDP? And also is it correct to use a hard coded value from back-end? This is hard coded in JwksEndpoint as well. https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/jwks/JwksEndpoint.java#L54 But in JWTTokenGenerator, we are not setting the "kid" parameter. https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTokenGenerator.java#L293 In which scenarios, this "kid" header parameter should be sent and should not be sent? Recently we have implemented to sign the user info JWT response and need to verify whether "kid" parameter should be sent there as well. Appreciate your ideas on above concerns. [1] http://openid.net/specs/openid-connect-core-1_0.html Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email indu...@wso2.com Mobile 0772182255
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
