On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake < [email protected]> wrote:
> Hi, > > In IS, when signing the ID token, we are passing the "kid" header > parameter in the response. > https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/master/components/org.wso2.carbon. > identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/ > DefaultIDTokenBuilder.java#L122 > > As per the specification (Refer [1]) : > >> *The kid value is a key identifier used in identifying the key to be used >> to verify the signature.If the kid value is unknown to the RP, it needs to >> retrieve the contents of the OP's JWK Set again to obtain the OP's current >> set of keys. * >> > > We have hard coded this "kid" value in the implementation level. What > happens if the signing key is a different one than the default one? > > Seems like this "kid" is like a hint to identify which specific key to be > used to validate the signature, when there are multiple keys. Is it a valid > use case in IS, since there cannot be multiple certs available in resident > IDP? And also is it correct to use a hard coded value from back-end? > Having hard coded value is not correct. "kid" value should be generated based on certificate "thumbprint". Hard coded value would work for super tenant default keystore. > > > > This is hard coded in JwksEndpoint as well. > https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/master/components/org.wso2.carbon. > identity.oauth.endpoint/src/main/java/org/wso2/carbon/ > identity/oauth/endpoint/jwks/JwksEndpoint.java#L54 > > But in JWTTokenGenerator, we are not setting the "kid" parameter. > https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/master/components/org.wso2.carbon. > identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authcontext/ > JWTTokenGenerator.java#L293 > > In which scenarios, this "kid" header parameter should be sent and should > not be sent? Recently we have implemented to sign the user info JWT > response and need to verify whether "kid" parameter should be sent there as > well. > > > > Appreciate your ideas on above concerns. > > [1] http://openid.net/specs/openid-connect-core-1_0.html > > > Thanks and Regards > -- > Indunil Upeksha Rathnayake > Software Engineer | WSO2 Inc > Email [email protected] > Mobile 0772182255 > -- Gayan Gunawardana Senior Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
