oxd jwt verification
By: Patrick McKinnon user 03 Jan 2017 at 5:28 p.m. CST
Is there any way to get the public key used by the oxd server to sign the jwt id_token so that the token can be verified later?
As far as I can tell the only way to validate credentials is to call the "get_user_info" endpoint with the access_token, however I don't think incurring this oxd network request on every access is ideal.
Also, I don't see anything in the oxd protocol that indicates how a refresh_token can be used to refresh an expired access_token. Is it just missing from the documentation?
Answers
By Michael Schwartz Account Admin 03 Jan 2017 at 10:56 p.m. CST
Two excellent ideas...
The signed id_token is included in the
get_tokens_by_codeAPI call, and this could be passed along with the public key of the OpenID Provider. In version 2.4 of the Gluu Server the id_token includes the user claims. In version 3.0 of the Gluu Server, the user claims will be included in the id_token only if you use set the "legacy_mode" JSON property. There is no way to get the signed JWT response for theget_user_infoAPI call. I created an enhancement for this: https://github.com/GluuFederation/oxd/issues/65Good idea... I added https://github.com/GluuFederation/oxd/issues/64
By Michael Schwartz Account Admin 03 Jan 2017 at 10:57 p.m. CST
Yuriy, if you have anything to add, please comment. Otherwise, close the issue.
By Yuriy Zabrovarnyy staff 04 Jan 2017 at 3:03 a.m. CST
Nothing to add, everything is explained. Closing.
Post an answer
Warning
I have detected that you have been inactive for 10 minutes.
I got sleepy so I've taken a nap!
