- edited description
Enhance JWKMatcher to match on x5 parameters
We are wanting to have a Resource Server that can accept JWS tokens from multiple different issuers.
The solution we currently are thinking about is to take N JWK set URLs and create a composite JWK set, and then have the JWKMatcher match the correct JWK from this composite set.
Our challenge is that we cannot guarantee that the kid will be unique across multiple issuers, meaning that JWKMatcher may select the wrong key.
A possible solution may be to enhance JWSVerificationKeySelector and JWKMatcher so that it can also match the X.509 thumbprint in the JWS header to the thumbprint in each JWK that we retrieved from the composite set.
Comments (4)
-
reporter -
reporter Here's kind of what I'm thinking for thumbprint support: https://bitbucket.org/jzheaux/nimbus-jose-jwt/commits/281e8f90904b378b68a20552f0d9bb705edd8ac4?at=add-sha-256-thumbprint-to-jwk-matcher
-
Hi Josh!
The x5t matching looks good, pls send me a pull request :)
There's no problem if the JWKMatcher returns one or more keys that don't match the one which was originally used to sign the JWS object. If the signature check fails the processing logic will skip to the next one. If a key succeeds then the JWS object will be found to have a valid signature. So having two or more key candidates with matching "kid" is not a problem.
-
- changed status to resolved
Released v5.12
- Log in to comment