Oauth js implicit - Signature validation

By: Guy Resmini user 07 Aug 2018 at 7:26 a.m. CDT

3 Responses
Guy Resmini gravatar
Hello, I have implemented "Gluu's OpenID Connect JavaScript implicit client" on my Single Page Application. Everything works fine, however, I still have a few questions about JWT's signature. I read the documentation below to implement it : https://gluu.org/docs/ce/integration/spa/oauth-js-implicit/ Obvioulsly there are no way to use the "secret", defined in the Gluu's client application. I have looked into the JS library, and this part is commented... https://cdn.rawgit.com/GluuFederation/openid-implicit-client/master/openidconnect.js /** * @property {array} OIDC.supportedClientOptions - List of supported Client configuration parameters * @property {string} OIDC.supportedClientOptions.client_id - The client's client_id * @property {string} OIDC.supportedClientOptions.redirect_uri - The client's redirect_uri * @readonly * @memberof OIDC * */ OIDC.supportedClientOptions = [ 'client_id', 'redirect_uri' // 'client_secret', ]; How can you verify the signature without the secret ? And how to guarantee the security on the JWT ? Thanks, Guy
Ubuntu 16.04
closed

Answers

By Michael Schwartz Account Admin 07 Aug 2018 at 9:23 a.m. CDT

Copy
Michael Schwartz gravatar
Client secret can't be protected in a javascript application. You could use asymetric signing, as the OP publishes a jwks_uri in the configuration document (i.e. `.well-known/openid-configuration`)

By Guy Resmini user 08 Aug 2018 at 8:30 a.m. CDT

Copy
Guy Resmini gravatar
Thank you for your answer. Have a nice day, Guy

By Michael Schwartz Account Admin 08 Aug 2018 at 10:10 a.m. CDT

Copy
Michael Schwartz gravatar
[ID_Token Validation](http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) ``` 6. If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. ``` So in lieu of checking the token signature, you could check to make sure the `iss` is the same as the `cn` of the TLS certificate. If you're a JS guru, feel free to submit a PR of the openid-implicit library that does that. We don't maintain that library anymore, because our preferred JS library is [AppAuth-JS](https://github.com/openid/AppAuth-JS)

Post an answer