Authentication: private_key_jwt

By: Awais Akhtar user 13 Sep 2019 at 4:56 a.m. CDT

5 Responses
Awais Akhtar gravatar
For private_key_jwt type authentication Gluu is only checking existance of keyID and not verifying jwt? Usecase: I created jwt token and signed it with private Key1. I have different Key2 public key with same keyID as of key1 in JWKS . On token end point I can still get the access token even though authentication should fail because of different Keys. In oxAuth.log it says authentication success for the client. I am using AppAuth for android. At the client end I am using correct signing algorithm as well token_endpoint_auth_signing_alg=RS256. OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** fromSampleApp - **Client ID:** @!6BE3.432A.83A1.3BA2!0001!9BB4.92C4!0008!A285.DCED.EA0C.FA20 - **Subject Type:** pairwise - **Expirattion date:** Wed Sep 13 00:00:00 UTC 2119 - **ClientSecret:** XXXXXXXXXXX - **Application Type:** native - **Persist Client Authorizations:** true - **Pre-Authorization:** false - **Authentication method for the Token Endpoint:** private_key_jwt - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Login Redirect URIs:** [appscheme://com.ikmb.appauthsample] - **AccessTokenSigningAlg:** RS256 - **Scopes:** [email, uma_protection, permission, openid, oxd, profile] - **Grant types:** [refresh_token, authorization_code] - **Response types:** [code] am I missing something in client configuration or have misunderstanding of the flow? PS: I do get invalidJwtException if the keyId is not in JWKS.
Ubuntu 16.0
closed

Answers

By Yuriy Zabrovarnyy staff 16 Sep 2019 at 12:34 p.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Does it mean there is same `kid` for different keys ? Would you be so kind to post : * JWKS * oxauth.log * Key1 and Key2 * LDIF of your client Also it would be nice to know how you generate your JWKS. It's expected to have different `kid` values for different keys (unless there is `kty` difference). Here is snippet from [spec](https://tools.ietf.org/html/rfc7517#section-4.5) ``` When "kid" values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct "kid" values. (One example in which different keys might use the same "kid" value is if they have different "kty" (key type) values but are considered to be equivalent alternatives by the application using them.) ``` Thanks, Yuriy Z

By Awais Akhtar user 17 Sep 2019 at 8:15 a.m. CDT

Copy
Awais Akhtar gravatar
Hi @Yuriy.Zabrovarnyy, Thank you for getting back. Noticed my mistake the keys were same only attribute "use" was different. I am using nimbus-jose-jwt:7.8 to generate RSA keys. ``` KeyPaireGenerator gen = KeyPairGenerator.getInstance("RSA"); gen.initialize(2048); signingKey = new RSAKey.Builder((RSAPublicKey) keyPair.getPublic()) .privateKey((RSAPrivateKey) keyPair.getPrivate()) .keyUse(KeyUse.SIGNATURE) .keyID(UUID.randomUUID().toString()) .build(); //was generating jwtk from same/KeyPair testKey = new RSAKey.Builder((RSAPublicKey) keyPair.getPublic()) .privateKey((RSAPrivateKey) keyPair.getPrivate()) .keyUse(KeyUse.ENCR) .keyID(UUID.randomUUID().toString()) .build(); ``` Its working as it should, I just tested different usecases: missing keys at client JWKS, sameId but different keys etc. Another quick question though if we want encrypted access token while using: ``` id_token_encrypted_response_alg="RSA-OAEP" id_token_encrypted_response_enc= "A128CBC+HS256" ``` in dynamic client registration step. Which key will be used to encrypt access token? Can we specify somehow? or its automatically picked from provided jwks set on basis of use:"enc" parameter. Our client is native so we don't we pushing a public key for encryption on client registration in jwks. Thanks alot for guiding.

By Yuriy Zabrovarnyy staff 17 Sep 2019 at 10:03 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Glad to hear that everything works as expected. re: Which key will be used to encrypt access token? To get signed access token as JWT `access_token_as_jwt` should be set to `true`. Signing algorithm is specified via `access_token_signing_alg` client's property (JWT is signed but not encrypted and signed. Encryption is not supported yet. [Feature scheduled](https://github.com/GluuFederation/oxAuth/issues/1154)). If it's not set then default algorithm is used (which is `RS256` if it's not changed in oxauth configuration). Key is picked up automatically and takes first key which match algorithm (e.g. in your example `"alg" : "RSA-OAEP"`). Thanks, Yuriy Z

By Awais Akhtar user 20 Sep 2019 at 10:37 a.m. CDT

Copy
Awais Akhtar gravatar
Thanks, sounds great. Looking forward to version 4.1

By Yuriy Zabrovarnyy staff 20 Sep 2019 at 10:52 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Great, closing this ticket.

Post an answer