By: Esko Heimonen user 24 Nov 2021 at 1:52 a.m. CST

6 Responses

Setting JWKS (and omitting JWKS_URI) in oxTrust OpenIDConnect Client configuration is expected to use the explicitly provided JWKS key ("use":"enc") when encrypting ID token. This combination results in NullPointerException at org.gluu.oxauth.model.jwk.JSONWebKeySet.fromJSONObject(JSONWebKeySet(). I believe the root cause likely is that JwrService.encryptJwe() does not inspect if client.getJwksUri() is null and if instead client.getJwks() returns public key information. Addition: Using JWKS_URI instead of JWKS in client configuration, I can get encryptJwe() to read client public keys. However, a bit later in the flow, OxAuthCryptoProvider expects to find my client's encryption public key in the oxauth keystore. Is the intent that public keys behind a client's JWKS_URI and/or JWKS parameter should be "white listed" by importing them to the oxauth keystore -- among the key pairs that oxauth uses for its own authentication and decryption purposes? I find this a bit surprising, at least in that a separate truststore is apparently not used for trusted client keys. (I did not find an OxAuth property for this.) Is there some automated way of importing keys to oxauth keystore/truststore after they've been added to client configuration? I think it would be nice if one could simply set an OxAuth or client property to automatically trust the JWKS_URI (TLS certificates provide some level of assurance) and especially the JWKS information of a client. Addition2: I tried adding my client's encryption public key as a TrustedKeyEntry to oxauth-keys.jks. This did not fix my problem. OxAuthCryptoProvider.getKeyId() calls KeyStore.getKey() to fetch a key matching the client's encryption public key from oxauth keystore, But KeyStore.getKey() always fetches a private key, and does not work with TrustedKeyEntries. Thus, it seems that getKeyId() probably should not be called at all when encrypting ID token with the client's public key (or, rather, when encrypting the symmetric encryption key). getKeyId() is apparently meant for selecting a signing key only. (Btw. OxAuthCryptoProvider.java:387 reads "älg" instead of "alg".) Sorry about flooding!

Gluu 4.3 Ubuntu 18.04

closed

By Mohib Zico Account Admin 11 Dec 2021 at 9:26 p.m. CST

Copy

Hi Esko, >> Setting JWKS (and omitting JWKS_URI) in oxTrust OpenIDConnect Client configuration is expected to use the explicitly provided JWKS key ("use":"enc") when encrypting ID token. This combination results in NullPointerException at org.gluu.oxauth.model.jwk.JSONWebKeySet.fromJSONObject(JSONWebKeySet(). Can you please share whole configuration? Whole configuration means... whole OpenID Client configuration + how to test this scenario in real life. We will test the scenario locally.

By Esko Heimonen user 12 Dec 2021 at 4:20 a.m. CST

Copy

Hi, First, note that when I configure client_secret_basic, and omit all JWT algorithms, my client works fine. My business logic requires forced private_key_jwt authentication every time, though. Here's my OpenID Connect Client config for the latter requirement. I am using a proprietary scope, but it is not relevant here as attribute mapping is working fine in all tests. ``` Response Types: code Grant types: authorization_code Scope: openid (+proprietary scope) Pre-authorization: true Persist client authorizations: false Authentication method for the Token Endpoint: private_key_jwt JWE alg Algorithm for encrypting the UserInfo Responses: RSA-OAEP JWE enc Algorithm for encrypting the UserInfo Responses: A128CBC+HS256 JWS alg Algorithm for signing the UserInfo Responses: RS256 JWE alg Algorithm for encrypting the ID Token: RSA-OAEP JWS alg Algorithm for signing the ID Token: RS256 JWE enc Algorithm for encrypting the ID Token: A128CBC+HS256 JWS alg Algorithm for Authentication method to Token Endpoint: RS256 JWKS_URI: (empty) JWKS: {"keys":[ { "kty": "RSA","kid": "postman-sig", "n": "5fpCXNKTDfWPfNHofCkQyjHt1pR2utOh86t1HiUIF9AXQPiDJqosGtQpWvFR4-VYGXwEC9RfoMzxLpDZCcXMiD04jQ3Hx1tU-_17XVFOZDsLDZ1gwQ68zvwPVgJ08A8XlQ8Olm_PhrpP_oexEx0X5I1tKsIV1e5pVWlHeUGKTa7KiZQJPErsX3Qv5u09byJqYvB7uwlvT24uF1TXeRTUYu1fn3Q4xf34p5XA4ojGPCD9srMdiZPVG50pC-JPQ5X5nnYVLeD7N3SNRYNaUSCleyoNOQ55O-5N4LUP7tpg3KqUH6JpRKz83ckbCz852c176jKL_CeAqlYgUYnZ59XDIw", "e": "AQAB","use":"sig" }, { "kty": "RSA", "kid": "postman-enc", "n": "5fpCXNKTDfWPfNHofCkQyjHt1pR2utOh86t1HiUIF9AXQPiDJqosGtQpWvFR4-VYGXwEC9RfoMzxLpDZCcXMiD04jQ3Hx1tU-_17XVFOZDsLDZ1gwQ68zvwPVgJ08A8XlQ8Olm_PhrpP_oexEx0X5I1tKsIV1e5pVWlHeUGKTa7KiZQJPErsX3Qv5u09byJqYvB7uwlvT24uF1TXeRTUYu1fn3Q4xf34p5XA4ojGPCD9srMdiZPVG50pC-JPQ5X5nnYVLeD7N3SNRYNaUSCleyoNOQ55O-5N4LUP7tpg3KqUH6JpRKz83ckbCz852c176jKL_CeAqlYgUYnZ59XDIw", "e": "AQAB","use":"enc" }]} ``` My client is a simple Express stack running passport.js with openid-client strategy, configured to use the corresponding private keys and algorithms: ``` Issuer.discover('<mydomain>') .then(oidcIssuer => { var client = new oidcIssuer.Client({ client_id: '5a36f86f-fc29-46d6-a2c2-4f0d90a58df3', redirect_uris: [ 'https://localhost:8000/auth/callback' ], post_logout_redirect_uris: [ 'https://localhost:8000/logout/callback' ], token_endpoint_auth_method: 'private_key_jwt', token_endpoint_auth_signing_alg: 'RS256', id_token_signed_response_alg: 'RS256', id_token_encrypted_response_alg: 'RSA-OAEP', id_token_encrypted_response_enc: 'A128CBC+HS256', userinfo_token_signed_response_alg: 'RS256', userinfo_token_encrypted_response_alg: 'RSA-OAEP', userinfo_token_encrypted_response_enc: 'A128CBC+HS256' },{ "keys":[{ "kty": "RSA", "use": "sig", "kid": "postman-sig", "n": "5fpCXNKTDfWPfNHofCkQyjHt1pR2utOh86t1HiUIF9AXQPiDJqosGtQpWvFR4-VYGXwEC9RfoMzxLpDZCcXMiD04jQ3Hx1tU-_17XVFOZDsLDZ1gwQ68zvwPVgJ08A8XlQ8Olm_PhrpP_oexEx0X5I1tKsIV1e5pVWlHeUGKTa7KiZQJPErsX3Qv5u09byJqYvB7uwlvT24uF1TXeRTUYu1fn3Q4xf34p5XA4ojGPCD9srMdiZPVG50pC-JPQ5X5nnYVLeD7N3SNRYNaUSCleyoNOQ55O-5N4LUP7tpg3KqUH6JpRKz83ckbCz852c176jKL_CeAqlYgUYnZ59XDIw", "e": "AQAB", "d": . . ., "p": . . ., "q": . . ., "dp": . . ., "dq": . . ., "qi": . . . },{ "kty": "RSA", "use": "enc", "kid": "postman-enc", . . . }]}) ``` When testing this configuration, I get the following exception stack. Tracing against the source code, it seems to me that JwrService.encryptJwe() simply lacks a case for making use of non-empty JWKS config parameter. ``` 2021-12-12 09:21:13,057 TRACE [qtp1990098664-16] [org.gluu.oxauth.model.token.IdTokenFactory] (IdTokenFactory.java:279) - Created claims for id_token, claims: {xxx all fine xxx} 2021-12-12 09:21:13,059 TRACE [qtp1990098664-16] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:366) - WebKeys:[366afd30-280e-47bf-aa42-d67ee5e9c640_sig_rs256, f150000a-1c 1d-43c1-8cb2-c02b5a358e0a_sig_rs384, 9e415e65-3adf-4d34-a92f-9696444b4878_sig_rs512, ae918387-b27e-4ef0-a7e0-e6f2aeb2370a_sig_es256, f3837a4f-d03d-42b1-bb3b-b4be0060c3e7_sig_es384, dd61e2d5-9c9e-41a3-ac4 8-de330c38a836_sig_es512, 8025af04-c685-4ca6-83c1-1de19e71e85c_sig_ps256, b12e4030-60eb-4198-804b-b933a77f34ba_sig_ps384, 665b321e-340f-4e7a-825c-80c0c2ea15c1_sig_ps512, 2c19a26f-acaa-4b29-b36e-4cb8c0130 36e_enc_rsa1_5, 33d46f08-f060-4998-a10f-487c826b48cc_enc_rsa-oaep] 2021-12-12 09:21:13,060 TRACE [qtp1990098664-16] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:367) - KeyStoreKeys:[dd61e2d5-9c9e-41a3-ac48-de330c38a836_sig_es512, postma n-enc, 366afd30-280e-47bf-aa42-d67ee5e9c640_sig_rs256, 33d46f08-f060-4998-a10f-487c826b48cc_enc_rsa-oaep, b12e4030-60eb-4198-804b-b933a77f34ba_sig_ps384, 665b321e-340f-4e7a-825c-80c0c2ea15c1_sig_ps512, a e918387-b27e-4ef0-a7e0-e6f2aeb2370a_sig_es256, f150000a-1c1d-43c1-8cb2-c02b5a358e0a_sig_rs384, 2c19a26f-acaa-4b29-b36e-4cb8c013036e_enc_rsa1_5, f3837a4f-d03d-42b1-bb3b-b4be0060c3e7_sig_es384, 8025af04-c6 85-4ca6-83c1-1de19e71e85c_sig_ps256, 9e415e65-3adf-4d34-a92f-9696444b4878_sig_rs512] 2021-12-12 09:21:13,062 TRACE [qtp1990098664-16] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:387) - Select among keys (?lg: RS256, use: sig): [{"kid":366afd30-280e-47bf -aa42-d67ee5e9c640_sig_rs256,"exp":1669222444687},] 2021-12-12 09:21:13,062 TRACE [qtp1990098664-16] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:390) - Selected kid: 366afd30-280e-47bf-aa42-d67ee5e9c640_sig_rs256, keySel ectionStrategy: OLDER 2021-12-12 09:21:13,095 DEBUG [qtp1990098664-16] [org.gluu.oxauth.model.util.JwtUtil] (JwtUtil.java:224) - Retrieving jwks null... 2021-12-12 09:21:13,096 ERROR [qtp1990098664-16] [org.gluu.oxauth.model.common.AuthorizationGrant] (AuthorizationGrant.java:328) - null java.lang.NullPointerException: null at org.gluu.oxauth.model.jwk.JSONWebKeySet.fromJSONObject(JSONWebKeySet.java:118) ~[oxauth-model-4.3.0.Final.jar:?] at org.gluu.oxauth.model.token.JwrService.encryptJwe(JwrService.java:99) ~[classes/:?] at org.gluu.oxauth.model.token.JwrService.encode(JwrService.java:69) ~[classes/:?] at org.gluu.oxauth.model.token.IdTokenFactory.createJwr(IdTokenFactory.java:281) ~[classes/:?] at org.gluu.oxauth.model.token.IdTokenFactory$Proxy$_$$_WeldClientProxy.createJwr(Unknown Source) ~[classes/:?] at org.gluu.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:102) ~[classes/:?] at org.gluu.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:309) ~[classes/:?] ``` I have since also tested private_key_jwt using JWKS_URI instead of JWKS. Xauth is fetching keys from my JWKS_URI endpoint just fine, and logs them as "WebKeys", but when encrypting the ID token, oxauth insists that the encryption public key of my client should be additionally found from oxauth-keys.jks ! This seems odd, since the point of JWKS_URI is to provide a dynamic way of whitelisting public key(s). Manually provisioniong the same keys to a server-side truststore seems essentially a more tedious way of doing "JWKS". Also, using oxauth's own keystore as a client truststore seems inappropriate. Finally, oxauth tries to fetch these public keys from a KeyStore with a method that only works with private keys and not with TrustedKeyEntries. My understanding is that the keystore lookup should simply be skipped -- at least an option to skip it would be welcome. ``` 2021-12-12 10:07:03,790 TRACE [qtp1990098664-13] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:366) - WebKeys:[366afd30-280e-47bf-aa42-d67ee5e9c640_sig_rs256, f150000a-1c1d-43c1-8cb2-c02b5a358e0a_sig_rs384, 9e415e65-3adf-4d34-a92f-9696444b4878_sig_rs512, ae918387-b27e-4ef0-a7e0-e6f2aeb2370a_sig_es256, f3837a4f-d03d-42b1-bb3b-b4be0060c3e7_sig_es384, dd61e2d5-9c9e-41a3-ac48-de330c38a836_sig_es512, 8025af04-c685-4ca6-83c1-1de19e71e85c_sig_ps256, b12e4030-60eb-4198-804b-b933a77f34ba_sig_ps384, 665b321e-340f-4e7a-825c-80c0c2ea15c1_sig_ps512, 2c19a26f-acaa-4b29-b36e-4cb8c013036e_enc_rsa1_5, 33d46f08-f060-4998-a10f-487c826b48cc_enc_rsa-oaep] 2021-12-12 10:07:03,790 TRACE [qtp1990098664-13] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:367) - KeyStoreKeys:[dd61e2d5-9c9e-41a3-ac48-de330c38a836_sig_es512, postman-enc, 366afd30-280e-47bf-aa42-d67ee5e9c640_sig_rs256, 33d46f08-f060-4998-a10f-487c826b48cc_enc_rsa-oaep, b12e4030-60eb-4198-804b-b933a77f34ba_sig_ps384, 665b321e-340f-4e7a-825c-80c0c2ea15c1_sig_ps512, ae918387-b27e-4ef0-a7e0-e6f2aeb2370a_sig_es256, f150000a-1c1d-43c1-8cb2-c02b5a358e0a_sig_rs384, 2c19a26f-acaa-4b29-b36e-4cb8c013036e_enc_rsa1_5, f3837a4f-d03d-42b1-bb3b-b4be0060c3e7_sig_es384, 8025af04-c685-4ca6-83c1-1de19e71e85c_sig_ps256, 9e415e65-3adf-4d34-a92f-9696444b4878_sig_rs512] 2021-12-12 10:07:03,791 TRACE [qtp1990098664-13] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:387) - Select among keys (?lg: RS256, use: sig): [{"kid":366afd30-280e-47bf-aa42-d67ee5e9c640_sig_rs256,"exp":1669222444687},] 2021-12-12 10:07:03,791 TRACE [qtp1990098664-13] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:390) - Selected kid: 366afd30-280e-47bf-aa42-d67ee5e9c640_sig_rs256, keySelectionStrategy: OLDER 2021-12-12 10:07:03,801 DEBUG [qtp1990098664-13] [org.gluu.oxauth.model.util.JwtUtil] (JwtUtil.java:224) - Retrieving jwks https://<mydomain>:8000/jwks... 2021-12-12 10:07:03,840 DEBUG [qtp1990098664-13] [org.gluu.oxauth.model.util.JwtUtil] (JwtUtil.java:234) - Status: 200 2021-12-12 10:07:03,872 DEBUG [qtp1990098664-13] [org.gluu.oxauth.model.util.JwtUtil] (JwtUtil.java:238) - JWK: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"postman-sig","n":"5fpCXNKTDfWPfNHofCkQyjHt1pR2utOh86t1HiUIF9AXQPiDJqosGtQpWvFR4-VYGXwEC9RfoMzxLpDZCcXMiD04jQ3Hx1tU-_17XVFOZDsLDZ1gwQ68zvwPVgJ08A8XlQ8Olm_PhrpP_oexEx0X5I1tKsIV1e5pVWlHeUGKTa7KiZQJPErsX3Qv5u09byJqYvB7uwlvT24uF1TXeRTUYu1fn3Q4xf34p5XA4ojGPCD9srMdiZPVG50pC-JPQ5X5nnYVLeD7N3SNRYNaUSCleyoNOQ55O-5N4LUP7tpg3KqUH6JpRKz83ckbCz852c176jKL_CeAqlYgUYnZ59XDIw"},{"kty":"RSA","e":"AQAB","use":"enc","kid":"postman-enc","alg":"RSA1_5","n":"5fpCXNKTDfWPfNHofCkQyjHt1pR2utOh86t1HiUIF9AXQPiDJqosGtQpWvFR4-VYGXwEC9RfoMzxLpDZCcXMiD04jQ3Hx1tU-_17XVFOZDsLDZ1gwQ68zvwPVgJ08A8XlQ8Olm_PhrpP_oexEx0X5I1tKsIV1e5pVWlHeUGKTa7KiZQJPErsX3Qv5u09byJqYvB7uwlvT24uF1TXeRTUYu1fn3Q4xf34p5XA4ojGPCD9srMdiZPVG50pC-JPQ5X5nnYVLeD7N3SNRYNaUSCleyoNOQ55O-5N4LUP7tpg3KqUH6JpRKz83ckbCz852c176jKL_CeAqlYgUYnZ59XDIw"}]} 2021-12-12 10:07:03,873 TRACE [qtp1990098664-13] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:366) - WebKeys:[postman-sig, postman-enc] 2021-12-12 10:07:03,874 TRACE [qtp1990098664-13] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:367) - KeyStoreKeys:[dd61e2d5-9c9e-41a3-ac48-de330c38a836_sig_es512, postman-enc, 366afd30-280e-47bf-aa42-d67ee5e9c640_sig_rs256, 33d46f08-f060-4998-a10f-487c826b48cc_enc_rsa-oaep, b12e4030-60eb-4198-804b-b933a77f34ba_sig_ps384, 665b321e-340f-4e7a-825c-80c0c2ea15c1_sig_ps512, ae918387-b27e-4ef0-a7e0-e6f2aeb2370a_sig_es256, f150000a-1c1d-43c1-8cb2-c02b5a358e0a_sig_rs384, 2c19a26f-acaa-4b29-b36e-4cb8c013036e_enc_rsa1_5, f3837a4f-d03d-42b1-bb3b-b4be0060c3e7_sig_es384, 8025af04-c685-4ca6-83c1-1de19e71e85c_sig_ps256, 9e415e65-3adf-4d34-a92f-9696444b4878_sig_rs512] 2021-12-12 10:07:03,874 TRACE [qtp1990098664-13] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:382) - kid is not in keystore, algorithm: RSA-OAEP, kid: null, keyStorePath:/etc/certs/oxauth-keys.jks 2021-12-12 10:07:03,876 TRACE [qtp1990098664-13] [org.gluu.oxauth.model.config.ConfigurationFactory] (ConfigurationFactory.java:259) - LDAP revision: 25, server revision:25 2021-12-12 10:07:03,876 ERROR [qtp1990098664-13] [org.gluu.oxauth.model.common.AuthorizationGrant] (AuthorizationGrant.java:328) - null java.lang.NullPointerException: null at org.gluu.oxauth.model.crypto.AbstractCryptoProvider.getPublicKey(AbstractCryptoProvider.java:135) ~[oxauth-model-4.3.0.Final.jar:?] at org.gluu.oxauth.model.crypto.AbstractCryptoProvider$Proxy$_$$_WeldClientProxy.getPublicKey(Unknown Source) ~[oxauth-model-4.3.0.Final.jar:?] at org.gluu.oxauth.model.token.JwrService.encryptJwe(JwrService.java:102) ~[classes/:?] at org.gluu.oxauth.model.token.JwrService.encode(JwrService.java:69) ~[classes/:?] at org.gluu.oxauth.model.token.IdTokenFactory.createJwr(IdTokenFactory.java:281) ~[classes/:?] at org.gluu.oxauth.model.token.IdTokenFactory$Proxy$_$$_WeldClientProxy.createJwr(Unknown Source) ~[classes/:?] at org.gluu.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:102) ~[classes/:?] at org.gluu.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:309) ~[classes/:?] ``` Br, /Esko

By Esko Heimonen user 09 Feb 2022 at 11:59 a.m. CST

Copy

Hi, is there something I can add to help testing this? Not sure why this ticket was closed. Br, /Esko

By Aliaksandr Samuseu staff 09 Feb 2022 at 2:43 p.m. CST

Copy

Hi, Esko. Let me quickly ask around tomorrow.

By Esko Heimonen user 23 Feb 2022 at 1:36 a.m. CST

Copy

Hi, still not sure why this ticket was closed. Br, /Esko

By Esko Heimonen user 16 Apr 2022 at 8:20 a.m. CDT

Copy

Hi, Gluu v4.3.1 repeats the result I reported earlier. Entering a set of JWK to the JWKS input box in client configuration does not seem to affect ID token encryption under private_key_jwt scheme at all. Access token is granted and signed. ID token is formed. But encryption of ID token ends in a NullPointerException when JwrService tries to form WebKeys from JWKS_URI, ignoring any JWKS value. My client's relevant config: ``` oxAuthIdTokenEncryptedResponseAlg: RSA-OAEP oxAuthIdTokenEncryptedResponseEnc: A128CBC+HS256 oxAuthJwksURI (undefined) oxAuthJwks: "keys":[{ "kty": "RSA", "use": "sig", "kid": "postman-sig", "n": "5fpCXNKTDfWPfNHofCkQyjHt1pR2utOh86t1HiUIF9AXQPiDJqosGtQpWvFR4-VYGXwEC9RfoMzxLpDZCcXMiD04jQ3Hx1tU-_17XVFOZDsLDZ1gwQ68zvwPVgJ08A8XlQ8Olm_PhrpP_oexEx0X5I1tKsIV1e5pVWlHeUGKTa7KiZQJPErsX3Qv5u09byJqYvB7uwlvT24uF1TXeRTUYu1fn3Q4xf34p5XA4ojGPCD9srMdiZPVG50pC-JPQ5X5nnYVLeD7N3SNRYNaUSCleyoNOQ55O-5N4LUP7tpg3KqUH6JpRKz83ckbCz852c176jKL_CeAqlYgUYnZ59XDIw", "e": "AQAB" },{ "kty": "RSA", "use": "enc", "kid": "postman-enc", "n": "5fpCXNKTDfWPfNHofCkQyjHt1pR2utOh86t1HiUIF9AXQPiDJqosGtQpWvFR4-VYGXwEC9RfoMzxLpDZCcXMiD04jQ3Hx1tU-_17XVFOZDsLDZ1gwQ68zvwPVgJ08A8XlQ8Olm_PhrpP_oexEx0X5I1tKsIV1e5pVWlHeUGKTa7KiZQJPErsX3Qv5u09byJqYvB7uwlvT24uF1TXeRTUYu1fn3Q4xf34p5XA4ojGPCD9srMdiZPVG50pC-JPQ5X5nnYVLeD7N3SNRYNaUSCleyoNOQ55O-5N4LUP7tpg3KqUH6JpRKz83ckbCz852c176jKL_CeAqlYgUYnZ59XDIw", "e": "AQAB" }]} ``` The related code in JwrService.java seems to assume that the only option for providing client JWK set is via JWKS_URI. There is no code to inspect JWKS value. 97 if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) { 98 JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri()); 99 String keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), 100 Algorithm.fromString(keyEncryptionAlgorithm.getName()), 101 Use.ENCRYPTION); 102 PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jsonWebKeys, null); 103 jwe.getHeader().setKeyId(keyId); 104 105 if (publicKey == null) { 106 throw new InvalidJweException("The public key is not valid"); 107 } 108 109 JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, encryptionMethod, publicKey); 110 return jweEncrypter.encrypt(jwe); 111 } I have also set up a JWKS_URI endpöoint over HTTPS for my test service, and tried configuring it in my client's JWKS_URI. Reading JWKS value from there currently fails in ERROR [qtp2085002312-19] [org.gluu.oxauth.model.util.JwtUtil] (JwtUtil.java:267) - RESTEASY004655: Unable to invoke request: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <localhost> doesn't match any of the subject alternative names: [] I have added my test service's server certficate to OpenJDK cacerts. The certificate is found by RestEasy, but I'm not sure how one makes the certificate's alternative name to "match" (with what?).

You need to Login in order to post an answer

JWKS support for encrypting ID token

By: Esko Heimonen user 24 Nov 2021 at 1:52 a.m. CST

Answers

By Mohib Zico Account Admin 11 Dec 2021 at 9:26 p.m. CST

By Esko Heimonen user 12 Dec 2021 at 4:20 a.m. CST

By Esko Heimonen user 09 Feb 2022 at 11:59 a.m. CST

By Aliaksandr Samuseu staff 09 Feb 2022 at 2:43 p.m. CST

By Esko Heimonen user 23 Feb 2022 at 1:36 a.m. CST

By Esko Heimonen user 16 Apr 2022 at 8:20 a.m. CDT

Post an answer