[jboss-jira] [JBoss JIRA] (WFLY-12975) JWT is rejected if signature matching public key is not first in JWK set
Darran Lofthouse (Jira)
issues at jboss.org
Wed Jan 15 12:50:42 EST 2020
[ https://issues.redhat.com/browse/WFLY-12975?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse moved WFWIP-294 to WFLY-12975:
-----------------------------------------------
Project: WildFly (was: WildFly WIP)
Key: WFLY-12975 (was: WFWIP-294)
Component/s: MP JWT
(was: MP JWT)
> JWT is rejected if signature matching public key is not first in JWK set
> ------------------------------------------------------------------------
>
> Key: WFLY-12975
> URL: https://issues.redhat.com/browse/WFLY-12975
> Project: WildFly
> Issue Type: Bug
> Components: MP JWT
> Reporter: Jan Kasik
> Assignee: Darran Lofthouse
> Priority: Critical
> Attachments: jwks.json, jwt.base64
>
>
> When public key on remote server is configured to be JWK set, the JWT which has correctly configured key ID to aim on matching public key from the set is rejected if matching public key is not on first position in the set array.
> This behavior is reproducible in the case the JWKS is set via {{mp.jwt.verify.publickey}} property.
> Attached is "flawed" key set with "blue-key" placed on first position in array when JOSE header has {{kid}} set to "orange-key" and JWT itself is signed by private key which is from "orange" key pair.
> This breaks MP-JWT specification compatibility because the MP-JWT 1.1 states:
> In section 9.2.3:
> {quote}
> If the incoming JWT uses the kid header field and there is a key in the supplied JWK set with the same kid, only that key is considered for verification of the JWT’s digital signature.
> {quote}
> In section 4.1:
> {quote}
> kid - This JOSE header parameter is a hint indicating which key was used to secure the JWT. RFC7515, Section-4.1.4
> {quote}
> And the RFC7515, Section-4.1.4 states:
> {quote}
> When used with a JWK, the "kid" value is used to match a JWK "kid" parameter value.
> {quote}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list