In order to retrieve tenant public key to calculate kid value we can use
same logic as in [1].
boolean isJWTSignedWithSPKey =
OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey();
String tenantDomain = null;
if(isJWTSignedWithSPKey) {
tenantDomain = (String)
request.getProperty(MultitenantConstants.TENANT_DOMAIN);
} else {
tenantDomain = request.getAuthorizationReqDTO().getUser().getTenantDomain();
}
[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L434
On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana <darsh...@wso2.com>
wrote:
> Will prioritize this for IS 5.4.0.
>
> Thanks,
>
> On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
>
>> Hope we will fix this for IS 5.4.0..?
>>
>> Thanks & regards,
>> -Prabath
>>
>> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake <
>> indu...@wso2.com> wrote:
>>
>>> Hi,
>>>
>>> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <ga...@wso2.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake <
>>>> indu...@wso2.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> In IS, when signing the ID token, we are passing the "kid" header
>>>>> parameter in the response.
>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>>>>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT
>>>>> okenBuilder.java#L122
>>>>>
>>>>> As per the specification (Refer [1]) :
>>>>>
>>>>>> *The kid value is a key identifier used in identifying the key to be
>>>>>> used to verify the signature.If the kid value is unknown to the RP, it
>>>>>> needs to retrieve the contents of the OP's JWK Set again to obtain the
>>>>>> OP's
>>>>>> current set of keys. *
>>>>>>
>>>>>
>>>>> We have hard coded this "kid" value in the implementation level. What
>>>>> happens if the signing key is a different one than the default one?
>>>>>
>>>>> Seems like this "kid" is like a hint to identify which specific key to
>>>>> be used to validate the signature, when there are multiple keys. Is it a
>>>>> valid use case in IS, since there cannot be multiple certs available in
>>>>> resident IDP? And also is it correct to use a hard coded value from
>>>>> back-end?
>>>>>
>>>> Having hard coded value is not correct. "kid" value should be generated
>>>> based on certificate "thumbprint". Hard coded value would work for super
>>>> tenant default keystore.
>>>>
>>>
>>> Thanks. I have created a public JIRA in [1] to handle this.
>>>
>>> [1] https://wso2.org/jira/browse/IDENTITY-6311
>>>
>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> This is hard coded in JwksEndpoint as well.
>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth.end
>>>>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint/
>>>>> jwks/JwksEndpoint.java#L54
>>>>>
>>>>> But in JWTTokenGenerator, we are not setting the "kid" parameter.
>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau
>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src
>>>>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo
>>>>> kenGenerator.java#L293
>>>>>
>>>>> In which scenarios, this "kid" header parameter should be sent and
>>>>> should not be sent? Recently we have implemented to sign the user info JWT
>>>>> response and need to verify whether "kid" parameter should be sent there
>>>>> as
>>>>> well.
>>>>>
>>>>>
>>>>>
>>>>> Appreciate your ideas on above concerns.
>>>>>
>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html
>>>>>
>>>>>
>>>>> Thanks and Regards
>>>>> --
>>>>> Indunil Upeksha Rathnayake
>>>>> Software Engineer | WSO2 Inc
>>>>> Email indu...@wso2.com
>>>>> Mobile 0772182255 <077%20218%202255>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Gayan Gunawardana
>>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/
>>>> Email: ga...@wso2.com
>>>> Mobile: +94 (71) 8020933
>>>>
>>>
>>>
>>>
>>> --
>>> Indunil Upeksha Rathnayake
>>> Software Engineer | WSO2 Inc
>>> Email indu...@wso2.com
>>> Mobile 0772182255 <077%20218%202255>
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Twitter : @prabath
>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>
>> Mobile : +1 650 625 7950 <(650)%20625-7950>
>>
>> http://facilelogin.com
>>
>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Technical Lead
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise .
> Middleware
>
--
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
