Hello folks - I hope someone can help answer a quick question: https://datatracker.ietf.org/doc/html/rfc7515#section-5.2 does not make any indication if a Claims payload may be parsed before signature/MAC verification.
I am a JOSE library author/maintainer and I've had application developers request the ability to look at information in a Claims payload to help find the key used to verify the signature/MAC. Their concerns are that an Identity Provider may use a key id (kid) in the header that is not guaranteed to be globally unique, and they may need other information in the Claims (e.g. issuer) to help them locate the appropriate key. My response was that there are many other options like jku, jwk thumprints as key ids, x5t, etc, that all mitigate this concern, and I dislike parsing payloads that haven't been cryptographically verified due to potential security issues otherwise. But they said those additional headers are only relevant if if the IdP actually uses those values, and if not, they still might need to look in the claims. What is the JOSE committee's stance on parsing the claims before signature verification? Thank you kindly, Les
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
