Certification and kid
I found the following in the jose list. It is mentioning OpenID Certification.
Hello,
I have a question regarding the section 4.5 of the RFC-7517 which states:
4.5. "kid" (Key ID) Parameter
The "kid" (key ID) parameter is used to match a specific key. This
is used, for instance, to choose among a set of keys within a JWK Set
during key rollover. The structure of the "kid" value is
unspecified. When "kid" values are used within a JWK Set, different
keys within the JWK Set SHOULD use distinct "kid" values. (One
example in which different keys might use the same "kid" value is if
they have different "kty" (key type) values but are considered to be
equivalent alternatives by the application using them.) The "kid"
value is a case-sensitive string. Use of this member is OPTIONAL.
When used with JWS or JWE, the "kid" value is used to match a JWS or
JWE "kid" Header Parameter value.
The part which is raising concerns is:
When "kid" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct "kid" values.
Context:
I am using an openid certified node library which does not allow for multiple keys with the same ID.
An issue has been opened (and closed) where the author/maintainer states that the keys should have different kids and the problem is with the issuer.
The issuer (based on identity server 4) which I connect to states the opposite.. That the offending keys (the repeating ones) are not different keys but the same and, as such, can use the same kid.
Question:
Which party is correct?
Thank you for your time,
Ricardo Pereira
Comments (3)
-
-
We’ve touched on this on the 5-Dec-19 call (discussed in
#1127) - we agreed on enforcing uniqueness amongst the JWK Set - it’s not clear whether that would be an errata or a test in the certification suite to be decided by the WG.The offending OP JWKS is here - notice the first and the last JWK is exactly the same.
On the mailing archive Neil said a robust client needs to handle this, I disagree (because the key is EXACTLY THE SAME, if one of them was a different “use” or “alg” as Neil suggested is used in the wild it wouldn’t match JWKS query process of the client) but made the change anyway. So in case of multiple keys matching the kid / alg / use combination the client will iterate one by one until it gets a hit.
-
- changed status to duplicate
Duplicate of
#1127. - Log in to comment
This was discussed recently I believe, under https://bitbucket.org/openid/connect/issues/1127/are-duplicate-kid-s-in-jwks-permitted