Client JWKS URI

By: Petri Pyoria named 04 Apr 2018 at 2:38 a.m. CDT

7 Responses
Petri Pyoria gravatar
It is possible to create a new OIDC client by utilizing a Gluu dynamic client creation REST API. When a new OIDC client is created, public encryption and signing keys of the client can be configured to the Gluu as a web page URI (JWKS_URI). How dynamic handling of JWKS URI keys is? In which situations Gluu reads client keys from the given JWKS URI? If the client changes the content of the JWKS URI page, should Gluu be restarted? How about when the client changes JWKS URI address and new address is set to Gluu? Should the server be restarted in this situation? If the client defines some time limit for the content in the Cache-Control HTTP-header of the JWKS URI -page, does Gluu reloads keys automatically when the time limit expires?
CentOS 7.0
closed

Answers

By Michael Schwartz Account Admin 08 Apr 2018 at 11:14 p.m. CDT

Copy
Michael Schwartz gravatar
Hi Petri. 1. Yes, it's definitely possible to create a client using [Dynamic Client Registration](http://openid.net/specs/openid-connect-registration-1_0.html). As you can see, Gluu [passes self-certification profiles](http://openid.net/certification/). 2. You should review the definitions for `jwks_uri` in [OpenID Connect Client Metadata](http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) 3. If the client changes the contents of the jwks_uri, I think it would be ok. The Gluu Server should handle key rotation. If you find otherwise, please post an issue. I don't think we track the expiration.

By Petri Pyoria named 09 Apr 2018 at 2:01 a.m. CDT

Copy
Petri Pyoria gravatar
Him Thank you for the answer! We have already tested dynamic client registration and so far it has been working well. It was just unclear how Gluu uses JWKS URI? Based on your answer, I suppose that Gluu re-reads keys if it notices that the client is using unknown key id? Otherwise Gluu is caching previously read keys?

By Michael Schwartz Account Admin 09 Apr 2018 at 2:57 p.m. CDT

Copy
Michael Schwartz gravatar
Javier, could you comment on this?

By Javier Rojas staff 10 Apr 2018 at 12:57 a.m. CDT

Copy
Javier Rojas gravatar
Hello Petri, oxAuth does not cache the content of the jwks_uri, it reads the content of the JWKS URI page when need to retrieve an enc or sig key.

By Petri Pyoria named 10 Apr 2018 at 1:06 a.m. CDT

Copy
Petri Pyoria gravatar
Ok. Could you still clarify a little bit more what the need means? Is oxAuth loading JWKS URI page every time when identity authentication request from OIDC client is handled?

By Javier Rojas staff 10 Apr 2018 at 2 p.m. CDT

Copy
Javier Rojas gravatar
Case 1: - The Client signs requests to the Server (Passing a Request Object by Value or by Reference). - oxAuth retrieves the jwks from the Client jwks_uri to validate signatures from the Client. Case 2: - The Client expects encrypted responses from oxAuth, eg: encrypted id_token or encrypted user info response. - oxAuth retrieves the jwks from the Client jwks_uri to encrypt responses to the Client. Case 3: - The Client specifies private_key_jwt authentication method at the token endpoint. - oxAuth retrieves the jwks from the Client jwks_uri to validate signatures from the Client.

By Petri Pyoria named 11 Apr 2018 at 12:23 a.m. CDT

Copy
Petri Pyoria gravatar
Thank you, this is now clear for us.

Post an answer