JWSVerificationKeySelector should support multiple algorithms
I'd like to create a JWSVerificationKeySelector
that verifies keys based on an OIDC Provider Metadata document. However, the OIDC Provider Metadata defines id_token_signing_alg_values_supported
as a list of algorithms that might be used to sign ID Tokens, whereas the JWSVerificationKeySelector
constructor only takes a single algorithm argument rather than a list of algorithms.
In other words, I'd like to do this (which won't compile currently):
JWSVerificationKeySelector keySelector = new JWSVerificationKeySelector(
oidcProviderMetadata.getIdTokenJWSAlgs(),
new RemoteJWKSet(oidcProviderMetadata.getJwkSetURI().toURL())
);
Comments (5)
-
-
reporter I can certainly implement my own
JWSKeySelector
. But theJWSVerificationKeySelector
implementation already does everything I need, other than support for multiple algorithms. I'd basically be copying the existingJWSVerificationKeySelector
code for my own implementation. Since others might have a similar need to interop with OIDC provider metadata, I thought this could be a useful feature to include in the existing implementation. -
The OAuth / OIDC SDK that we maintain has a complete ID token verifier, which is configured from OP & RP metadata:
Normally, when a RP is registered with an OP, the JWS alg is set to a specific value, e.g. RS256, which means that tokens for the RP will be issued with that alg, and not a range of algs.
https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
id_token_signed_response_alg OPTIONAL. JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
-
In other words, the verifier should be created based on OpenID provider and client metadata, not just provider metadata.
-
- changed status to wontfix
Closing, use OIDC specific verifier.
- Log in to comment
Hi Gary,
JWSVerificationKeySelector
implementsJWSKeySelector
, which allows a context to be passed.Have you thought about implementing your own
JWSKeySelector
?https://static.javadoc.io/com.nimbusds/nimbus-jose-jwt/6.3/com/nimbusds/jose/proc/JWSKeySelector.html