[
https://issues.redhat.com/browse/WFWIP-294?page=com.atlassian.jira.plugin...
]
Jan Kasik commented on WFWIP-294:
---------------------------------
I will sum up our discussion here: After fiddling with [~dlofthouse]'s quickstart
project we found out that the issue is reproducible for {{mp.jwt.verify.publickey}}. With
{{mp.jwt.verify.publickey.location}} it is not.
JWT is rejected if signature matching public key is not first in JWK
set
------------------------------------------------------------------------
Key: WFWIP-294
URL:
https://issues.redhat.com/browse/WFWIP-294
Project: WildFly WIP
Issue Type: Bug
Components: MP JWT
Reporter: Jan Kasik
Assignee: Darran Lofthouse
Priority: Blocker
Attachments: jwks.json, jwt.base64
When public key on remote server is configured to be JWK set, the JWT which has correctly
configured key ID to aim on matching public key from the set is rejected if matching
public key is not on first position in the set array.
This behavior is reproducible in the case the JWKS is set via {{mp.jwt.verify.publickey}}
property.
Attached is "flawed" key set with "blue-key" placed on first position
in array when JOSE header has {{kid}} set to "orange-key" and JWT itself is
signed by private key which is from "orange" key pair.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)