1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

JWSVerificationKeySelector should support multiple algorithms

Issue #284 wontfix
Gary Peck created an issue

I'd like to create a JWSVerificationKeySelector that verifies keys based on an OIDC Provider Metadata document. However, the OIDC Provider Metadata defines id_token_signing_alg_values_supported as a list of algorithms that might be used to sign ID Tokens, whereas the JWSVerificationKeySelector constructor only takes a single algorithm argument rather than a list of algorithms.

In other words, I'd like to do this (which won't compile currently):

JWSVerificationKeySelector keySelector = new JWSVerificationKeySelector(
    oidcProviderMetadata.getIdTokenJWSAlgs(),
    new RemoteJWKSet(oidcProviderMetadata.getJwkSetURI().toURL())
);

Comments (5)

  2. Gary Peck reporter

    I can certainly implement my own JWSKeySelector. But the JWSVerificationKeySelector implementation already does everything I need, other than support for multiple algorithms. I'd basically be copying the existing JWSVerificationKeySelector code for my own implementation. Since others might have a similar need to interop with OIDC provider metadata, I thought this could be a useful feature to include in the existing implementation.

  3. Vladimir Dzhuvinov

    The OAuth / OIDC SDK that we maintain has a complete ID token verifier, which is configured from OP & RP metadata:

    https://static.javadoc.io/com.nimbusds/oauth2-oidc-sdk/6.2/com/nimbusds/openid/connect/sdk/validators/package-summary.html

    Normally, when a RP is registered with an OP, the JWS alg is set to a specific value, e.g. RS256, which means that tokens for the RP will be issued with that alg, and not a range of algs.

    https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata

    id_token_signed_response_alg OPTIONAL. JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].

  4. Vladimir Dzhuvinov

    In other words, the verifier should be created based on OpenID provider and client metadata, not just provider metadata.

  6. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
wontfix
Component
JOSE Core
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!