Hi Inthi,
My reading is that we need to expose it with following format. Same kid
value.
{
- kty: "RSA",
- e: "AQAB",
- use: "sig",
- kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg",
- alg: "RS256",
- n:
"hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ"
},
{
- kty: "RSA",
- e: "AQAB",
- use: "sig",
- kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg",
- alg: "RS512",
- n:
"hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ"
},
Excerpt:
(One
example in which different keys might use the same "kid" value is if
they have different "kty" (key type) values but are considered to be
equivalent alternatives by the application using them.)
Cheers,
Ruwan A
On Wed, May 8, 2019 at 4:05 PM Inthirakumaaran Tharmakulasingham <
inthirakumaa...@wso2.com> wrote:
> Hi all,
>
> Through the identity.xml it is possible to change the signature algorithm
> for following JWT tokens
>
>
> 1. Access token
> 2. ID Token
> 3. UserInfoJWT
>
> It is possible to set different types of algorithms to each of the tokens.
>
> After a token is signed and sent to the user, they can access the JWKS
> endpoint to get the public key. In our current JWKS endpoint, we only show
> one key set like this
> keys:
> [
>
> -
> {
> - kty: "RSA",
> - e: "AQAB",
> - use: "sig",
> - kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg",
> - alg: "RS256",
> - n:
>
> "hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ"
> },
>
> ]
>
> By using this keyset, the user can create the public key and validate his
> token. Please refer[1] to under each element in the keyset.
>
> Currently, we are hard-coding the value of "alg" which will be used to
> decode the signature. But ideally, we should read the value from
> identity.xml and expose it in the JWKS endpoint. If that the case then
> which algorithm we should read from identity.xml? or Do we have to expose
> different keysets for different algorithms (eg: 3 different keysets if all
> of the above signature algorithms are different) ?
>
> Reference
> [1] https://tools.ietf.org/html/rfc7517#page-8
>
> Thanks and Regards,
> Kumaaran
> --
> *Inthirakumaaran*
> Software Engineer | WSO2
>
> E-mail:inthirakumaa...@wso2.com
> Mobile:+94775558050
> Web:https://wso2.com
>
> <http://wso2.com/signature>
>
>
>
--
*Ruwan Abeykoon*
*Associate Director/Architect**,*
*WSO2, Inc. http://wso2.com <https://wso2.com/signature> *
*lean.enterprise.middleware.*
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
