[jboss-jira] [JBoss JIRA] (WFWIP-294) JWT is rejected if signature matching public key is not first in JWK set

[Jan Kasik (Jira)]

     [ https://issues.redhat.com/browse/WFWIP-294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kasik updated WFWIP-294:
----------------------------
    Description: 
When public key on remote server is configured to be JWK set, the JWT which has correctly configured key ID to aim on matching public key from the set is rejected if matching public key is not on first position in the set array.

This behavior is reproducible in the case the JWKS is set via {{mp.jwt.verify.publickey}} property.

Attached is "flawed" key set with "blue-key" placed on first position in array when JOSE header has {{kid}} set to "orange-key" and JWT itself is signed by private key which is from "orange" key pair.

This breaks MP-JWT specification compatibility because the MP-JWT 1.1 states:

In section 9.2.3:

{quote}
If the incoming JWT uses the kid header field and there is a key in the supplied JWK set with the same kid, only that key is considered for verification of the JWT’s digital signature.
{quote}

  was:
When public key on remote server is configured to be JWK set, the JWT which has correctly configured key ID to aim on matching public key from the set is rejected if matching public key is not on first position in the set array.

This behavior is reproducible in the case the JWKS is set via {{mp.jwt.verify.publickey}} property.

Attached is "flawed" key set with "blue-key" placed on first position in array when JOSE header has {{kid}} set to "orange-key" and JWT itself is signed by private key which is from "orange" key pair.



> JWT is rejected if signature matching public key is not first in JWK set
> ------------------------------------------------------------------------
>
>                 Key: WFWIP-294
>                 URL: https://issues.redhat.com/browse/WFWIP-294
>             Project: WildFly WIP
>          Issue Type: Bug
>          Components: MP JWT
>            Reporter: Jan Kasik
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>         Attachments: jwks.json, jwt.base64
>
>
> When public key on remote server is configured to be JWK set, the JWT which has correctly configured key ID to aim on matching public key from the set is rejected if matching public key is not on first position in the set array.
> This behavior is reproducible in the case the JWKS is set via {{mp.jwt.verify.publickey}} property.
> Attached is "flawed" key set with "blue-key" placed on first position in array when JOSE header has {{kid}} set to "orange-key" and JWT itself is signed by private key which is from "orange" key pair.
> This breaks MP-JWT specification compatibility because the MP-JWT 1.1 states:
> In section 9.2.3:
> {quote}
> If the incoming JWT uses the kid header field and there is a key in the supplied JWK set with the same kid, only that key is considered for verification of the JWT’s digital signature.
> {quote}



--
This message was sent by Atlassian Jira
(v7.13.8#713008)