date:20190508

Re: [Dev] Differentiating signature algorithm in JWKS endpoint

2019-05-08 Thread Ruwan Abeykoon

Hi Inthi,
My reading is that we need to expose it with following format. Same kid
value.

{

   - kty: "RSA",
   - e: "AQAB",
   - use: "sig",
   - kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg",
   - alg: "RS256",
   - n:
   
"hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ"

},
{

   - kty: "RSA",
   - e: "AQAB",
   - use: "sig",
   - kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg",
   - alg: "RS512",
   - n:
   
"hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ"

},


Excerpt:

 (One
   example in which different keys might use the same "kid" value is if
   they have different "kty" (key type) values but are considered to be
   equivalent alternatives by the application using them.)



Cheers,
Ruwan A

On Wed, May 8, 2019 at 4:05 PM Inthirakumaaran Tharmakulasingham <
inthirakumaa...@wso2.com> wrote:

> Hi all,
>
> Through the identity.xml it is possible to change the signature algorithm
> for following JWT tokens
>
>
>1. Access token
>2. ID Token
>3. UserInfoJWT
>
> It is possible to set different types of algorithms to each of the tokens.
>
> After a token is signed and sent to the user, they can access the JWKS
> endpoint to get the public key. In our current JWKS endpoint, we only show
> one key set like this
> keys:
> [
>
>-
>{
>   - kty: "RSA",
>   - e: "AQAB",
>   - use: "sig",
>   - kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg",
>   - alg: "RS256",
>   - n:
>   
> "hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ"
>   },
>
> ]
>
> By using this keyset, the user can create the public key and validate his
> token. Please refer[1] to under each element in the keyset.
>
> Currently, we are hard-coding the value of "alg" which will be used to
> decode the signature. But ideally, we should read the value from
> identity.xml and expose it in the JWKS endpoint. If that the case then
> which algorithm we should read from identity.xml? or Do we have to expose
> different keysets for different algorithms (eg: 3 different keysets if all
> of the above signature algorithms are different) ?
>
> Reference
> [1] https://tools.ietf.org/html/rfc7517#page-8
>
> Thanks and Regards,
> Kumaaran
> --
> *Inthirakumaaran*
> Software Engineer | WSO2
>
> E-mail:inthirakumaa...@wso2.com
> Mobile:+94775558050
> Web:https://wso2.com
>
> 
>
>
>

-- 

*Ruwan Abeykoon*
*Associate Director/Architect**,*
*WSO2, Inc. http://wso2.com  *
*lean.enterprise.middleware.*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Differentiating signature algorithm in JWKS endpoint

2019-05-08 Thread Inthirakumaaran Tharmakulasingham

Hi all,

Through the identity.xml it is possible to change the signature algorithm
for following JWT tokens


   1. Access token
   2. ID Token
   3. UserInfoJWT

It is possible to set different types of algorithms to each of the tokens.

After a token is signed and sent to the user, they can access the JWKS
endpoint to get the public key. In our current JWKS endpoint, we only show
one key set like this
keys:
[

   -
   {
  - kty: "RSA",
  - e: "AQAB",
  - use: "sig",
  - kid: "ODMyNzRmOTE4NWVkMjE4NTJkNjAwYWI5YWRjODZiZGIyM2FiYWEwZg",
  - alg: "RS256",
  - n:
  
"hIBgxdAVKh00IiY_VA6EXoQt6VaodNiwD2RFXkRu-AJn8zJ7lLs4t5tX6Cqa5UTSYXmjMvbBkOoSHiRWuEd-4X40lnm_02PrDhpuCj9EcNMmwPUHeFXxVSnw2lQ2I72KuHVx3ooWjFj7ssIM3bAnaOVlGwPj8cEL4FCgVdtd4cR2jLHyo8mk7IIYde9EYifeXluZ8knJ16y693WwaasFApvpP9Kee7AlLFhfReldWJNKNSROGKNkmX76KGcBttYh2UeALYEK5VNU0BCJx_pLwkAKka1l46eXsu78Chz3oO52AYh947YgZ_mejIvl8vN-bZogOGEalPky3JthmAsEwQ"
  },

]

By using this keyset, the user can create the public key and validate his
token. Please refer[1] to under each element in the keyset.

Currently, we are hard-coding the value of "alg" which will be used to
decode the signature. But ideally, we should read the value from
identity.xml and expose it in the JWKS endpoint. If that the case then
which algorithm we should read from identity.xml? or Do we have to expose
different keysets for different algorithms (eg: 3 different keysets if all
of the above signature algorithms are different) ?

Reference
[1] https://tools.ietf.org/html/rfc7517#page-8

Thanks and Regards,
Kumaaran
-- 
*Inthirakumaaran*
Software Engineer | WSO2

E-mail:inthirakumaa...@wso2.com
Mobile:+94775558050
Web:https://wso2.com


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Error when accessing SP after changing TokenPersistenceProcessor in identity.xml

2019-05-08 Thread Hasini Witharana

Hi Farasath,

Thank you for the clarification.

Thank You.
Hasini.

On Wed, May 8, 2019 at 2:56 PM Farasath Ahamed  wrote:

> Hi Hasini,
>
> AFAIS this is the expected behaviour.
>
> Changing the token processor with existing data is cannot be done unless
> you bring the old data to the format understood by the new token processor.
>
> Regards,
> Farasath
>
> On Wed, May 8, 2019 at 2:53 PM Hasini Witharana  wrote:
>
>> Hi All,
>>
>> I created a SP with the below property.
>>
>> *org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor*
>>
>> Then I changed the configuration as below and restart the server and
>> created another SP.
>>
>> *org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor*
>>
>> When I try to edit the first SP which was created before the config
>> change I got the below error. Is this the expected behaviour?
>>
>> Caused by: org.wso2.carbon.identity.oauth.IdentityOAuthAdminException:
>> Error occurred while processing client id and client secret by
>> TokenPersistenceProcessor
>> at
>> org.wso2.carbon.identity.oauth.dao.OAuthConsumerDAO.getOAuthConsumerSecret(OAuthConsumerDAO.java:87)
>> at
>> org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.getClientSecret(OAuthApplicationMgtListener.java:294)
>> at
>> org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.addClientSecret(OAuthApplicationMgtListener.java:270)
>>
>> Thank You.
>> Hasini
>> --
>> *Hasini Witharana | **Software Engineer | **WSO2 Inc *
>> *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com
>> *
>>
>>
>
> --
> Farasath Ahamed
> Associate Technical Lead, WSO2 Inc.: http://wso2.com
> Mobile: +94777603866
> Blog: https://farasath.blogspot.com / https://medium.com/@farasath
> Twitter: @farazath619 
> 
>
>
>
>

-- 
*Hasini Witharana | **Software Engineer | **WSO2 Inc *
*(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Error when accessing SP after changing TokenPersistenceProcessor in identity.xml

2019-05-08 Thread Farasath Ahamed

Hi Hasini,

AFAIS this is the expected behaviour.

Changing the token processor with existing data is cannot be done unless
you bring the old data to the format understood by the new token processor.

Regards,
Farasath

On Wed, May 8, 2019 at 2:53 PM Hasini Witharana  wrote:

> Hi All,
>
> I created a SP with the below property.
>
> *org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor*
>
> Then I changed the configuration as below and restart the server and
> created another SP.
>
> *org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor*
>
> When I try to edit the first SP which was created before the config change
> I got the below error. Is this the expected behaviour?
>
> Caused by: org.wso2.carbon.identity.oauth.IdentityOAuthAdminException:
> Error occurred while processing client id and client secret by
> TokenPersistenceProcessor
> at
> org.wso2.carbon.identity.oauth.dao.OAuthConsumerDAO.getOAuthConsumerSecret(OAuthConsumerDAO.java:87)
> at
> org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.getClientSecret(OAuthApplicationMgtListener.java:294)
> at
> org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.addClientSecret(OAuthApplicationMgtListener.java:270)
>
> Thank You.
> Hasini
> --
> *Hasini Witharana | **Software Engineer | **WSO2 Inc *
> *(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com *
>
>

-- 
Farasath Ahamed
Associate Technical Lead, WSO2 Inc.: http://wso2.com
Mobile: +94777603866
Blog: https://farasath.blogspot.com / https://medium.com/@farasath
Twitter: @farazath619 

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Error when accessing SP after changing TokenPersistenceProcessor in identity.xml

2019-05-08 Thread Hasini Witharana

Hi All,

I created a SP with the below property.
*org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor*

Then I changed the configuration as below and restart the server and
created another SP.
*org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor*

When I try to edit the first SP which was created before the config change
I got the below error. Is this the expected behaviour?

Caused by: org.wso2.carbon.identity.oauth.IdentityOAuthAdminException:
Error occurred while processing client id and client secret by
TokenPersistenceProcessor
at
org.wso2.carbon.identity.oauth.dao.OAuthConsumerDAO.getOAuthConsumerSecret(OAuthConsumerDAO.java:87)
at
org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.getClientSecret(OAuthApplicationMgtListener.java:294)
at
org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener.addClientSecret(OAuthApplicationMgtListener.java:270)

Thank You.
Hasini
-- 
*Hasini Witharana | **Software Engineer | **WSO2 Inc *
*(m) 0766435725 | (w) 0713850143 | (e) hasi...@wso2.com *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Differentiating signature algorithm in JWKS endpoint

[Dev] Differentiating signature algorithm in JWKS endpoint

Re: [Dev] Error when accessing SP after changing TokenPersistenceProcessor in identity.xml

Re: [Dev] Error when accessing SP after changing TokenPersistenceProcessor in identity.xml

[Dev] Error when accessing SP after changing TokenPersistenceProcessor in identity.xml

5 matches

Site Navigation

Mail list logo

Footer information