]
Sonia Zaldana updated WFLY-12975:
---------------------------------
Git Pull Request:
JWT is rejected if signature matching public key is not first in JWK
set
------------------------------------------------------------------------
Key: WFLY-12975
URL:
https://issues.redhat.com/browse/WFLY-12975
Project: WildFly
Issue Type: Bug
Components: MP JWT
Reporter: Jan Kasik
Priority: Critical
Attachments: jwks.json, jwt.base64
When public key on remote server is configured to be JWK set, the JWT which has correctly
configured key ID to aim on matching public key from the set is rejected if matching
public key is not on first position in the set array.
This behavior is reproducible in the case the JWKS is set via {{mp.jwt.verify.publickey}}
property.
Attached is "flawed" key set with "blue-key" placed on first position
in array when JOSE header has {{kid}} set to "orange-key" and JWT itself is
signed by private key which is from "orange" key pair.
This breaks MP-JWT specification compatibility because the MP-JWT 1.1 states:
In section 9.2.3:
{quote}
If the incoming JWT uses the kid header field and there is a key in the supplied JWK set
with the same kid, only that key is considered for verification of the JWT’s digital
signature.
{quote}
In section 4.1:
{quote}
kid - This JOSE header parameter is a hint indicating which key was used to secure the
JWT. RFC7515, Section-4.1.4
{quote}
And the RFC7515, Section-4.1.4 states:
{quote}
When used with a JWK, the "kid" value is used to match a JWK "kid"
parameter value.
{quote}