- edited description
How to construct jkt claim? Any plans to add it to library?
How to construct jkt claim? Any plans to add it to library?
https://developer.okta.com/docs/guides/dpop/main/#build-the-request
Here is the jwk I passed to OAuth sever token endpoint
{"kty":"RSA","kid":"testoauth01.app","use":"sig","n":"sCeUuD0YudiM4GSubTD7TIYqlSg0zdhSPfZOJapn-swabtix8q0COSK48XUSu6kjBd1BFNzAikH9Z8EjsMmEnLMW8OSHo12FV7y21lLjUr7Sk9bFeIKTJoUGj6l733rWXdpvrgDL-T9LdbTfa5ZPOH93byHPQvh-KpU4i-wIir0CGToV2F7rHsmrhreHAd_fJCUalF8ggI_4Y0gi6PbRY5CjLQl13oEA4r0PcUP4GtHYfw-mNL07NGDN2OKUWpEHDi3Ft_exIuFmNOdv454jIscQACMkk6OoxGahPUXwHebQchib5EfK3p8oQEstNnk4QdGLiZoA043qlH7I4DdG6w","e":"AQAB","x5c":["MIIC6TCCAlKgAwIBAgIEZFQuMzANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1OMTAwLgYDVQQHDCc0MDAgRmlyc3QgQXZlbnVlIE5vcnRoICM0MDAgTWlubmVhcG9saXMxETAPBgNVBAoMCFBlcmZvcmNlMQ4wDAYDVQQLDAVBa2FuYTEPMA0GA1UEAwwGUm9vdENBMB4XDTIzMDUwNDIyMTQxMVoXDTI0MDUwMzIyMTQxMVowbTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtTaW1pIFZhbGxleTERMA8GA1UECgwIUGVyZm9yY2UxDjAMBgNVBAsMBUFrYW5hMRgwFgYDVQQDDA90ZXN0b2F1dGgwMS5hcHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwJ5S4PRi52IzgZK5tMPtMhiqVKDTN2FI99k4lqmf6zBpu2LHyrQI5IrjxdRK7qSMF3UEU3MCKQf1nwSOwyYScsxbw5IejXYVXvLbWUuNSvtKT1sV4gpMmhQaPqXvfetZd2m+uAMv5P0t1tN9rlk84f3dvIc9C+H4qlTiL7AiKvQIZOhXYXuseyauGt4cB398kJRqUXyCAj/hjSCLo9tFjkKMtCXXegQDivQ9xQ/ga0dh/D6Y0vTs0YM3Y4pRakQcOLcW397Ei4WY052/jniMixxAAIySTo6jEZqE9RfAd5tByGJvkR8renyhASy02eThB0YuJmgDTjeqUfsjgN0brAgMBAAEwDQYJKoZIhvcNAQELBQADgYEAEPcQtJsCTxunLnfz4kNkBRDbK2UVlORRX77mewGBFFzwu4oNFGV5sZCtANSZMuUaZIVLMI6LrR2SjEVmv1xMg1jsZ3/Hss5cD8BsW7xyms1+Se3Zv/sR3GkbSFaFoglJnu02YESSzSqsNFfCbTqF7Fwq3oWXHpnLdemx7qZ5jR0=","MIICmDCCAgGgAwIBAgIEYmgdyDANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1OMTAwLgYDVQQHDCc0MDAgRmlyc3QgQXZlbnVlIE5vcnRoICM0MDAgTWlubmVhcG9saXMxETAPBgNVBAoMCFBlcmZvcmNlMQ4wDAYDVQQLDAVBa2FuYTEPMA0GA1UEAwwGUm9vdENBMB4XDTIyMDQyNjE2Mjg1NloXDTQyMDQyNjE2Mjg1NlowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNTjEwMC4GA1UEBwwnNDAwIEZpcnN0IEF2ZW51ZSBOb3J0aCAjNDAwIE1pbm5lYXBvbGlzMREwDwYDVQQKDAhQZXJmb3JjZTEOMAwGA1UECwwFQWthbmExDzANBgNVBAMMBlJvb3RDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApzJgst33S18ktHT6gSTqHsgOenvDwGsW0ac+y38XYbTzlRbeMK1RnomfWGi/UPR4R2WM/0L8ycCEai2VTB5AkDJNSHlir/lNcwtK/nOzEMASQEV0QPH5boQfus7NVz3HBJ3h+lWafYruOdDFZ8rOQsfEWJn3CSDS/H7XVRPyGS0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAOpW/gdVcGshWBCMB+/d887O1t0bRuIJsedfBleMUxD9aBmx5WmlPcb4F4TB+G5M5RYNfsYzhVCAwCbFQ8gVKMSMwdzY/SADgzyFLbkEXYXkX2cnp0xzsgL+JWLbiNHU/XUFRbzcum+QtOmB5OEIP+sk228/pTWDHBvA885nKyJc="]}
The OAuth server introspection API is returning jkt as 2zAFuDzsg3K4anyjGzFF1QHn8R5F2_gsZL97xkQ7fl0
jkt : A base64url encoding of the JWK SHA-256 hash of the DPoP public key (in JWK format)
I tried to construct using below code and got zU6OIxjbigM92IO7seFed3iRWyc1FDhFFMktJM__pI8
public static String jktS256(PublicJsonWebKey jwk) {
return base64urlThumbprint(jwk, "SHA-256");
}
private static String base64urlThumbprint(PublicJsonWebKey jwk, String hashAlg) {
MessageDigest msgDigest = HashUtil.getMessageDigest(hashAlg);
byte[] jwkBytes = jwk.toJson(OutputControlLevel.PUBLIC_ONLY).getBytes();
byte[] digest = msgDigest.digest(jwkBytes);
return Base64Url.encode(digest);
}
I am not sure I did wrong.
Comments (9)
-
reporter -
reporter - edited description
-
repo owner The thumbprint calculation needs to be per [RFC7638], which normalizes the JWK. (original spec text mentions RFC7638 https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-jwk-thumbprint-confirmation but the okta guide seems to have dropped that detail).
But anyway,
JsonWebKey
has a methodpublic String calculateBase64urlEncodedThumbprint(String hashAlgorithm)
that will do it. Using that rather than thebase64urlThumbprint(...)
you’ve got above should do it.
-
repo owner - changed status to open
-
reporter Thanks Brian Campbell.
It is so stupid of me. The method is right there and I couldn’t find it.
I searched for
getXXX
method along the lines ofgetX509CertificateSha256Thumbprint(true)
-
reporter - changed status to resolved
-
reporter - changed status to open
-
reporter - changed status to resolved
-
reporter - changed status to closed
- Log in to comment