oxd jwt verification

By: Patrick McKinnon user 03 Jan 2017 at 5:28 p.m. CST

3 Responses
Patrick McKinnon gravatar
Is there any way to get the public key used by the oxd server to sign the jwt id_token so that the token can be verified later? As far as I can tell the only way to validate credentials is to call the "get_user_info" endpoint with the access_token, however I don't think incurring this oxd network request on every access is ideal. Also, I don't see anything in the oxd protocol that indicates how a refresh_token can be used to refresh an expired access_token. Is it just missing from the documentation?
U1404
closed

Answers

By Michael Schwartz Account Admin 03 Jan 2017 at 10:56 p.m. CST

Copy
Michael Schwartz gravatar
Two excellent ideas... 1. The signed id_token is included in the `get_tokens_by_code` API call, and this could be passed along with the public key of the OpenID Provider. In version 2.4 of the Gluu Server the id_token includes the user claims. In version 3.0 of the Gluu Server, the user claims will be included in the id_token only if you use set the "legacy_mode" JSON property. There is no way to get the signed JWT response for the `get_user_info` API call. I created an enhancement for this: [https://github.com/GluuFederation/oxd/issues/65](https://github.com/GluuFederation/oxd/issues/65) 2. Good idea... I added [https://github.com/GluuFederation/oxd/issues/64](https://github.com/GluuFederation/oxd/issues/64)

By Michael Schwartz Account Admin 03 Jan 2017 at 10:57 p.m. CST

Copy
Michael Schwartz gravatar
Yuriy, if you have anything to add, please comment. Otherwise, close the issue.

By Yuriy Zabrovarnyy staff 04 Jan 2017 at 3:03 a.m. CST

Copy
Yuriy Zabrovarnyy gravatar
Nothing to add, everything is explained. Closing.

Post an answer