[Federation] Specify requirement for the JWT "kid" header in Entity Statements, etc
OpenID Federation defines four JWTs signed with federation entity keys:
- Entity Statement
- Resolve response
- Signed JWK set obtained from the historical keys endpoint
- Trust Marks
For these JWTs we need to specify whether the “kid” header parameter is required.
According to the current spec federation JWKs must include a “kid”:
jwks
REQUIRED. A JSON Web Key Set (JWKS) [RFC7517] representing the public part of the subject's Federation Entity signing keys. The corresponding private key is used by the Entity to sign the Entity Configuration about itself, and by Trust Anchors and Intermediate Entities to sign Subordinate Statements about their Immediate Subordinates. The public keys are used to verify the signatures of the issued Entity Statements and Trust Marks and SHOULD NOT be used in other protocols. (Keys to be used in other protocols, such as OpenID Connect, are conveyed in the
metadata
elements of the respective Entity Statements.) This claim is only OPTIONAL for the Entity Statement returned from an OP when the client is doing Explicit Registration. In all other cases, it is REQUIRED. Every JWK in the JWK Set MUST have a uniquekid
(Key ID) value. It is RECOMMENDED that the Key ID be the JWK Thumbprint [RFC7638] using the SHA-256 hash function of the key.
Comments (5)
-
reporter -
As you can see in the OpenID Connect certification profiles at https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf, a “kid” is required in ID Tokens. (Yes, the Connect spec didn’t require it, but the working group later decided to correct that omission in the certification profiles.)
We should require a “kid” header parameter in all the JWTs we define.
-
-
assigned issue to
-
assigned issue to
-
- changed status to open
To be fixed by https://bitbucket.org/openid/connect/pull-requests/721
-
- changed status to resolved
- Log in to comment
We also have the signed trust mark delegation thing :)
https://connect2id.com/assets/standards/drafts/openid-federation-1_0.html#section-7.3
Not sure if the JWT “kid” should be required here?