- edited description
validate token without knowing the algorithm used
Issue #174
wontfix
Hi there,
I am trying to validate the token. So the input i have is
1) token
2) url to get the public key
I have to pass the JWSVerificationKeySelector to pass the keysource which is nothing but url.
When i get the token i am not sure which algorithm i need to use, unless I parse the token and get the algoritm and then pass to it. How do i override it
means : I only know token and url and will just pass to it. This will identify the algorithm and do the validate
Below is the code snippet.
I passed the algorithm type ahead of validating the token,and currently this is the only way I think I can validate. Is there any other way i can validate the token without knowing the algorithm
JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
JWSKeySelector keySelector = new JWSVerificationKeySelector(expectedJWSAlg, keySource);
jwtProcessor.setJWSKeySelector(keySelector);
SecurityContext ctx = null;
JWTClaimsSet claimsSet = jwtProcessor.process("token3", ctx);
thanks
Comments (10)
-
reporter
-
reporter
- edited description
-
reporter
- edited description
-
Does the published JWK set associated an "alg" for each key?
https://tools.ietf.org/html/rfc7517#section-4.4
Not sure how good a security practise is to not have a previous contract on what JWS / JWE algs to expect.
Otherwise you can create a RemoteJWKSet instance and keep it around for reuse, while creating the key selector on demand.
-
reporter
Thanks i think it varies our jwks url will not get alg on it
{"keys":[{ "kty":"RSA", "use":"sig", "kid":"xxxx", "x5t":"xxx", "n":"nnnn", "e":"xxx", "x5c":["sssss"]}]}
Also from my understanding I cannot use RemoteJWKSet because it always look into the cache to get the data. if we have multiple tokens comming from different vendors the jwksurl will be different. Other wise I have to call explicity
DefaultResourceRetriever togetAlgorithmType = new DefaultResourceRetriever(); Resource resource = togetAlgorithmType.retrieveResource(new URL("https://lxxxxxxx/keys")); JWKSet jwkSet = JWKSet.parse(resource.getContent()); for (JWK key: jwkSet.getKeys()) { System.out.println(key.getAlgorithm()); System.out.println(key.getKeyType()); System.out.println(key.getKeyID()); System.out.println(key.getKeyUse()); } #Anyway I cant get the algorithm from jwsurl. The only way I can get is parse the token and get the algorithm form the header.
Thanks VInoj
-
If the "kty" is "RSA" then the algorithm can be one of the following:
JWSAlgorithm.RS256 JWSAlgorithm.RS384 JWSAlgorithm.RS512 JWSAlgorithm.PS256 JWSAlgorithm.PS384 JWSAlgorithm.PS512Regarding the JWKSource, keep one caching RemoteJWKSet around for each vendor (to benefit from its caching), and use it to create the selector on demand.
-
reporter
Thanks totally understand
yes if the kty is "RSA" the algorithm will be either one of the 6. But how do I know unless if I parse the token and get it from the header :)
yes for the JWKSource i can keep one for each vendor. Thanks for explaining.
Thanks Vinoj
-
In your case just reuse the RemoteJWKSet because caching is critical for performance. Having to fetch HTTP data repeatedly just to verify a token can bog your app down.
Don't worry about creating a new key selector, that is efficient.
-
- marked as proposal
-
- changed status to wontfix
Keep policy to always require the expected JOSE alg to be known in advance.
- Log in to comment
