Hi Gayan, It seems we can use [1] which contains the exact logic to generate 'kid' value. WDYT?
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L1568 Thanks, Hasanthi Dissanayake Software Engineer | WSO2 E: [email protected] M :0718407133| http://wso2.com <http://wso2.com/> On Fri, Sep 1, 2017 at 10:10 AM, Gayan Gunawardana <[email protected]> wrote: > In order to retrieve tenant public key to calculate kid value we can use > same logic as in [1]. > > boolean isJWTSignedWithSPKey = > OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey(); > String tenantDomain = null; > if(isJWTSignedWithSPKey) { > tenantDomain = (String) > request.getProperty(MultitenantConstants.TENANT_DOMAIN); > } else { > tenantDomain = > request.getAuthorizationReqDTO().getUser().getTenantDomain(); > } > > > [1] https://github.com/wso2-extensions/identity-inbound- > auth-oauth/blob/master/components/org.wso2.carbon. > identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/ > DefaultIDTokenBuilder.java#L434 > > On Thu, Aug 31, 2017 at 11:24 PM, Darshana Gunawardana <[email protected]> > wrote: > >> Will prioritize this for IS 5.4.0. >> >> Thanks, >> >> On Tue, Aug 29, 2017 at 11:47 PM, Prabath Siriwardena <[email protected]> >> wrote: >> >>> Hope we will fix this for IS 5.4.0..? >>> >>> Thanks & regards, >>> -Prabath >>> >>> On Tue, Aug 29, 2017 at 2:34 AM, Indunil Upeksha Rathnayake < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> On Mon, Aug 28, 2017 at 12:07 PM, Gayan Gunawardana <[email protected]> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Mon, Aug 28, 2017 at 11:48 AM, Indunil Upeksha Rathnayake < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> In IS, when signing the ID token, we are passing the "kid" header >>>>>> parameter in the response. >>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src >>>>>> /main/java/org/wso2/carbon/identity/openidconnect/DefaultIDT >>>>>> okenBuilder.java#L122 >>>>>> >>>>>> As per the specification (Refer [1]) : >>>>>> >>>>>>> *The kid value is a key identifier used in identifying the key to be >>>>>>> used to verify the signature.If the kid value is unknown to the RP, it >>>>>>> needs to retrieve the contents of the OP's JWK Set again to obtain the >>>>>>> OP's >>>>>>> current set of keys. * >>>>>>> >>>>>> >>>>>> We have hard coded this "kid" value in the implementation level. What >>>>>> happens if the signing key is a different one than the default one? >>>>>> >>>>>> Seems like this "kid" is like a hint to identify which specific key >>>>>> to be used to validate the signature, when there are multiple keys. Is >>>>>> it a >>>>>> valid use case in IS, since there cannot be multiple certs available in >>>>>> resident IDP? And also is it correct to use a hard coded value from >>>>>> back-end? >>>>>> >>>>> Having hard coded value is not correct. "kid" value should be >>>>> generated based on certificate "thumbprint". Hard coded value would work >>>>> for super tenant default keystore. >>>>> >>>> >>>> Thanks. I have created a public JIRA in [1] to handle this. >>>> >>>> [1] https://wso2.org/jira/browse/IDENTITY-6311 >>>> >>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> This is hard coded in JwksEndpoint as well. >>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth.end >>>>>> point/src/main/java/org/wso2/carbon/identity/oauth/endpoint/ >>>>>> jwks/JwksEndpoint.java#L54 >>>>>> >>>>>> But in JWTTokenGenerator, we are not setting the "kid" parameter. >>>>>> https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>>> th/blob/master/components/org.wso2.carbon.identity.oauth/src >>>>>> /main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTo >>>>>> kenGenerator.java#L293 >>>>>> >>>>>> In which scenarios, this "kid" header parameter should be sent and >>>>>> should not be sent? Recently we have implemented to sign the user info >>>>>> JWT >>>>>> response and need to verify whether "kid" parameter should be sent there >>>>>> as >>>>>> well. >>>>>> >>>>>> >>>>>> >>>>>> Appreciate your ideas on above concerns. >>>>>> >>>>>> [1] http://openid.net/specs/openid-connect-core-1_0.html >>>>>> >>>>>> >>>>>> Thanks and Regards >>>>>> -- >>>>>> Indunil Upeksha Rathnayake >>>>>> Software Engineer | WSO2 Inc >>>>>> Email [email protected] >>>>>> Mobile 0772182255 <077%20218%202255> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Gayan Gunawardana >>>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: [email protected] >>>>> Mobile: +94 (71) 8020933 >>>>> >>>> >>>> >>>> >>>> -- >>>> Indunil Upeksha Rathnayake >>>> Software Engineer | WSO2 Inc >>>> Email [email protected] >>>> Mobile 0772182255 <077%20218%202255> >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Twitter : @prabath >>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>> >>> Mobile : +1 650 625 7950 <(650)%20625-7950> >>> >>> http://facilelogin.com >>> >> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Technical Lead >> WSO2 Inc.; http://wso2.com >> >> *E-mail: [email protected] <[email protected]>* >> *Mobile: +94718566859 <+94%2071%20856%206859>*Lean . Enterprise . >> Middleware >> > > > > -- > Gayan Gunawardana > Senior Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
