Hi, On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <[email protected]> wrote:
> > > On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake < > [email protected]> wrote: > >> Hi, >> >> In IS, when signing the ID token, we are passing the "kid" header >> parameter in the response. >> https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/blob/master/components/org.wso2.carbon.identity. >> oauth/src/main/java/org/wso2/carbon/identity/openidconnect/ >> DefaultIDTokenBuilder.java#L122 >> >> As per the specification (Refer [1]) : >> >>> *The kid value is a key identifier used in identifying the key to be >>> used to verify the signature.If the kid value is unknown to the RP, it >>> needs to retrieve the contents of the OP's JWK Set again to obtain the OP's >>> current set of keys. * >>> >> >> We have hard coded this "kid" value in the implementation level. What >> happens if the signing key is a different one than the default one? >> >> Seems like this "kid" is like a hint to identify which specific key to be >> used to validate the signature, when there are multiple keys. Is it a valid >> use case in IS, since there cannot be multiple certs available in resident >> IDP? And also is it correct to use a hard coded value from back-end? >> > Having hard coded value is not correct. "kid" value should be generated > based on certificate "thumbprint". Hard coded value would work for super > tenant default keystore. > Thanks. I have created a public JIRA in [1] to handle this. [1] https://wso2.org/jira/browse/IDENTITY-6311 > >> >> >> >> This is hard coded in JwksEndpoint as well. >> https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/blob/master/components/org.wso2.carbon.identity. >> oauth.endpoint/src/main/java/org/wso2/carbon/identity/ >> oauth/endpoint/jwks/JwksEndpoint.java#L54 >> >> But in JWTTokenGenerator, we are not setting the "kid" parameter. >> https://github.com/wso2-extensions/identity-inbound-auth- >> oauth/blob/master/components/org.wso2.carbon.identity. >> oauth/src/main/java/org/wso2/carbon/identity/oauth2/ >> authcontext/JWTTokenGenerator.java#L293 >> >> In which scenarios, this "kid" header parameter should be sent and should >> not be sent? Recently we have implemented to sign the user info JWT >> response and need to verify whether "kid" parameter should be sent there as >> well. >> >> >> >> Appreciate your ideas on above concerns. >> >> [1] http://openid.net/specs/openid-connect-core-1_0.html >> >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Email [email protected] >> Mobile 0772182255 >> > > > > -- > Gayan Gunawardana > Senior Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email [email protected] Mobile 0772182255
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
