In order to retrieve tenant public key to calculate kid value we can use same logic as in [1].
boolean isJWTSignedWithSPKey = OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey(); String tenantDomain = null; if(isJWTSignedWithSPKey) { tenantDomain = (String) request.getProperty(MultitenantConstants.TENANT_DOMAIN); } else { tenantDomain = request.getAuthorizationReqDTO().getUser().getTenantDomain(); } [1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.java#L434 On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana <darsh...@wso2.com> wrote: > Will prioritize this for IS 5.4.0. > > Thanks, > > On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> Hope we will fix this for IS 5.4.0..? >> >> Thanks & regards, >> -Prabath >> >> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake < >> indu...@wso2.com> wrote: >> >>> Hi, >>> >>> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <ga...@wso2.com> >>> wrote: >>> >>>> >>>> >>>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake < >>>> indu...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> In IS, when signing the ID token, we are passing the "kid" header >>>>> parameter in the response. >>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src >>>>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT >>>>> okenBuilder.java#L122 >>>>> >>>>> As per the specification (Refer [1]) : >>>>> >>>>>> *The kid value is a key identifier used in identifying the key to be >>>>>> used to verify the signature.If the kid value is unknown to the RP, it >>>>>> needs to retrieve the contents of the OP's JWK Set again to obtain the >>>>>> OP's >>>>>> current set of keys. * >>>>>> >>>>> >>>>> We have hard coded this "kid" value in the implementation level. What >>>>> happens if the signing key is a different one than the default one? >>>>> >>>>> Seems like this "kid" is like a hint to identify which specific key to >>>>> be used to validate the signature, when there are multiple keys. Is it a >>>>> valid use case in IS, since there cannot be multiple certs available in >>>>> resident IDP? And also is it correct to use a hard coded value from >>>>> back-end? >>>>> >>>> Having hard coded value is not correct. "kid" value should be generated >>>> based on certificate "thumbprint". Hard coded value would work for super >>>> tenant default keystore. >>>> >>> >>> Thanks. I have created a public JIRA in [1] to handle this. >>> >>> [1] https://wso2.org/jira/browse/IDENTITY-6311 >>> >>> >>>> >>>>> >>>>> >>>>> >>>>> This is hard coded in JwksEndpoint as well. >>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>> th/blob/master/components/org.wso2.carbon.identity.oauth.end >>>>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint/ >>>>> jwks/JwksEndpoint.java#L54 >>>>> >>>>> But in JWTTokenGenerator, we are not setting the "kid" parameter. >>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src >>>>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo >>>>> kenGenerator.java#L293 >>>>> >>>>> In which scenarios, this "kid" header parameter should be sent and >>>>> should not be sent? Recently we have implemented to sign the user info JWT >>>>> response and need to verify whether "kid" parameter should be sent there >>>>> as >>>>> well. >>>>> >>>>> >>>>> >>>>> Appreciate your ideas on above concerns. >>>>> >>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html >>>>> >>>>> >>>>> Thanks and Regards >>>>> -- >>>>> Indunil Upeksha Rathnayake >>>>> Software Engineer | WSO2 Inc >>>>> Email indu...@wso2.com >>>>> Mobile 0772182255 <077%20218%202255> >>>>> >>>> >>>> >>>> >>>> -- >>>> Gayan Gunawardana >>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: ga...@wso2.com >>>> Mobile: +94 (71) 8020933 >>>> >>> >>> >>> >>> -- >>> Indunil Upeksha Rathnayake >>> Software Engineer | WSO2 Inc >>> Email indu...@wso2.com >>> Mobile 0772182255 <077%20218%202255> >>> >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 <(650)%20625-7950> >> >> http://facilelogin.com >> > > > > -- > Regards, > > > *Darshana Gunawardana*Technical Lead > WSO2 Inc.; http://wso2.com > > *E-mail: darsh...@wso2.com <darsh...@wso2.com>* > *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . > Middleware > -- Gayan Gunawardana Senior Software Engineer; WSO2 Inc.; http://wso2.com/ Email: ga...@wso2.com Mobile: +94 (71) 8020933
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev