[jboss-jira] [JBoss JIRA] (WFWIP-294) JWT is rejected if signature matching public key is not first in JWK set
Darran Lofthouse (Jira)
issues at jboss.org
Thu Jan 9 10:04:13 EST 2020
[ https://issues.redhat.com/browse/WFWIP-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13944936#comment-13944936 ]
Darran Lofthouse commented on WFWIP-294:
----------------------------------------
Checking the MP JWT spec I believe there may be some more aspects to this to double check: -
* If the JWT token contains the "kid" claim and that claim matches the kid of a JWT then only that key should be used to check the signature.
>From that I believe we may be able to imply if the token contains no "kid" then all keys should be used to find one which verifies the signature.
This may also mean that if the token contains a "kid" that doesn't match any JWK then all keys should be used to find one which verifies the signature.
> JWT is rejected if signature matching public key is not first in JWK set
> ------------------------------------------------------------------------
>
> Key: WFWIP-294
> URL: https://issues.redhat.com/browse/WFWIP-294
> Project: WildFly WIP
> Issue Type: Bug
> Components: MP JWT
> Reporter: Jan Kasik
> Assignee: Darran Lofthouse
> Priority: Blocker
> Attachments: jwks.json, jwt.base64
>
>
> When public key on remote server is configured to be JWK set, the JWT which has correctly configured key ID to aim on matching public key from the set is rejected if matching public key is not on first position in the set array.
> Attached is "flawed" key set with "blue-key" placed on first position in array when JOSE header has {{kid}} set to "orange-key" and JWT itself is signed by private key which is from "orange" key pair.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list