option to attempt verification on all candidate keys when more than one eligible
Issue #94
closed
Add an option to to attempt verification on all candidate keys when more than one is selected in JwksVerificationKeyResolver and maybe HttpsJwksVerificationKeyResolver.
Comments (9)
-
-
It sounds like maybe you're attempting to do validate/verify OAuth access tokens? The /pf/JWKS endpoint only publishes the verification keys for OpenID Connect ID tokens. For JWT access tokens, you'll need to point to a JWKS endpoint as configured in the JWT access token manger in PF - and that's a feature that's available starting with PF 8.2. Prior to 8.2 there are some other key publishing features in the JWT access token manager including an endpoint for x509 certs. See Issue
#73for a lot more info about that.https://bitbucket.org/b_c/jose4j/issues/73/support-for-resolving-keys-from-a-https
-
I'm running PF 8.3.1. I think I have setup JWKS end point like https://[pf_server]:9031/pf/JWKS, is that not correct? I want to validate JWT token with whatever the rightful setup. I can use x509 keyresolver and just need to know that is the right path.
-
just read through issue 73 and he describing the same thing I have experienced. thanks for posting the code, it really help.
-
reporter
For access tokens you have to turn on the JWKS endpoint by configuring a "JWKS ENDPOINT PATH" in the JWT access token manager.
So, for example, if you put "/oauth/jwks" as the value of that field (as shown in the screen shot below) then the path to use with the HttpsJwksVerificationKeyResolver would be https://<pf_host>:9031/ext/oauth/jwks
-
that was the missing piece. it works fine for me now. thank you so much.
-
reporter
You're welcome. Glad you got things figured out.
-
reporter
- changed status to resolved
d4e1b5c add a selectWithVerifySignatureDisambiguate(...) to VerificationJwkSelector that will use a signature verification on all selected keys from selectList(...) when there is more than one that was otherwise selected based on the headers. And add a setDisambiguateWithVerifySignature(true) option on HttpsJwksVerificationKeyResolver and JwksVerificationKeyResolver to use that rather than the select(...) that gives one key based on the header selection and the first one if there were more than one.
-
reporter
- changed status to closed
released with jose4j-0.5.6 on May 12, 2017
- Log in to comment
can you give me a hint on how the verification is done? I have a hard time getting jwks and https keyresolver to work, it keep coming back with invalid signature. I can only attribute that kid matching may not what I was expecting. I have proper /pf/JWKS (using pingFed), when the https resolver did not work, I pulled it down usine getJsonWebKey and construct the jwksVerificationKeyResolver set and run through an iterator. despite I saw the kid is in there, it still failed. I constructed a x509 keyresolver and add a cert and it went ok. what did I miss here?