Hi all, As per the offline discussions had with @Ruwan Abeykoon <[email protected]> and @Farasath Ahamed <[email protected]>, we are going to create different keysets for different algorithms. In order to do that we are going to create a new KeyID generation method which combines thumbprint of certificate and algorithm. For backward compatibility, we are adding a keyset with thumbPrint as KeyID as well.
Thank you @Ruwan Abeykoon <[email protected]> and @Farasath Ahamed <[email protected]> Regards, kumaaran On Wed, May 8, 2019 at 4:42 PM Ruwan Abeykoon <[email protected]> wrote: > Hi Inthi, > My reading is that we need to expose it with following format. Same kid > value. > > { > > - kty: "RSA", > - e: "AQAB", > - use: "sig", > - kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg", > - alg: "RS256", > - n: > > "hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ" > > }, > { > > - kty: "RSA", > - e: "AQAB", > - use: "sig", > - kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg", > - alg: "RS512", > - n: > > "hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ" > > }, > > > Excerpt: > > (One > example in which different keys might use the same "kid" value is if > they have different "kty" (key type) values but are considered to be > equivalent alternatives by the application using them.) > > > > Cheers, > Ruwan A > > On Wed, May 8, 2019 at 4:05 PM Inthirakumaaran Tharmakulasingham < > [email protected]> wrote: > >> Hi all, >> >> Through the identity.xml it is possible to change the signature algorithm >> for following JWT tokens >> >> >> 1. Access token >> 2. ID Token >> 3. UserInfoJWT >> >> It is possible to set different types of algorithms to each of the >> tokens. >> >> After a token is signed and sent to the user, they can access the JWKS >> endpoint to get the public key. In our current JWKS endpoint, we only show >> one key set like this >> keys: >> [ >> >> - >> { >> - kty: "RSA", >> - e: "AQAB", >> - use: "sig", >> - kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg", >> - alg: "RS256", >> - n: >> >> "hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ" >> }, >> >> ] >> >> By using this keyset, the user can create the public key and validate his >> token. Please refer[1] to under each element in the keyset. >> >> Currently, we are hard-coding the value of "alg" which will be used to >> decode the signature. But ideally, we should read the value from >> identity.xml and expose it in the JWKS endpoint. If that the case then >> which algorithm we should read from identity.xml? or Do we have to expose >> different keysets for different algorithms (eg: 3 different keysets if all >> of the above signature algorithms are different) ? >> >> Reference >> [1] https://tools.ietf.org/html/rfc7517#page-8 >> >> Thanks and Regards, >> Kumaaran >> -- >> *Inthirakumaaran* >> Software Engineer | WSO2 >> >> E-mail:[email protected] >> Mobile:+94775558050 >> Web:https://wso2.com >> >> <http://wso2.com/signature> >> >> >> > > -- > > *Ruwan Abeykoon* > *Associate Director/Architect**,* > *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * > *lean.enterprise.middleware.* > > -- *Inthirakumaaran* Software Engineer | WSO2 E-mail:[email protected] Mobile:+94775558050 Web:https://wso2.com <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
