[jboss-jira] [JBoss JIRA] (WFWIP-294) JWT is rejected if signature matching public key is not first in JWK set
Jan Kasik (Jira)
issues at jboss.org
Fri Jan 10 03:21:00 EST 2020
[ https://issues.redhat.com/browse/WFWIP-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13945441#comment-13945441 ]
Jan Kasik commented on WFWIP-294:
---------------------------------
I will sum up our discussion here: After fiddling with [~dlofthouse]'s quickstart project we found out that the issue is reproducible for {{mp.jwt.verify.publickey}}. With {{mp.jwt.verify.publickey.location}} it is not.
> JWT is rejected if signature matching public key is not first in JWK set
> ------------------------------------------------------------------------
>
> Key: WFWIP-294
> URL: https://issues.redhat.com/browse/WFWIP-294
> Project: WildFly WIP
> Issue Type: Bug
> Components: MP JWT
> Reporter: Jan Kasik
> Assignee: Darran Lofthouse
> Priority: Blocker
> Attachments: jwks.json, jwt.base64
>
>
> When public key on remote server is configured to be JWK set, the JWT which has correctly configured key ID to aim on matching public key from the set is rejected if matching public key is not on first position in the set array.
> This behavior is reproducible in the case the JWKS is set via {{mp.jwt.verify.publickey}} property.
> Attached is "flawed" key set with "blue-key" placed on first position in array when JOSE header has {{kid}} set to "orange-key" and JWT itself is signed by private key which is from "orange" key pair.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list