By: Bhupinder Saini user 13 Feb 2019 at 7:17 a.m. CST

1 Response
Bhupinder Saini gravatar
Deployed 3.1.5 on Ubuntu 16.04. Below is the output of the OpenID Connect Configuration https://gluu.ban.io:8443/.well-known/openid-configuration ``` { "issuer": "https://gluu.ban.io", "authorization_endpoint": "https://gluu.ban.io/oxauth/restv1/authorize", "token_endpoint": "https://gluu.ban.io/oxauth/restv1/token", "userinfo_endpoint": "https://gluu.ban.io/oxauth/restv1/userinfo", "clientinfo_endpoint": "https://gluu.ban.io/oxauth/restv1/clientinfo", "check_session_iframe": "https://gluu.ban.io/oxauth/opiframe.htm", "end_session_endpoint": "https://gluu.ban.io/oxauth/restv1/end_session", "jwks_uri": "https://gluu.ban.io/oxauth/restv1/jwks", "registration_endpoint": "https://gluu.ban.io/oxauth/restv1/register", "id_generation_endpoint": "https://gluu.ban.io/oxauth/restv1/id", "introspection_endpoint": "https://gluu.ban.io/oxauth/restv1/introspection", "response_types_supported": [ "code", "code id_token token", "id_token", "code token", "token", "code id_token", "id_token token" ], "grant_types_supported": [ "client_credentials", "implicit", "password", "refresh_token", "urn:ietf:params:oauth:grant-type:uma-ticket", "authorization_code" ], "acr_values_supported": [ "basic", "auth_ldap_server" ], "auth_level_mapping": { "-1": ["auth_ldap_server"], "100": ["basic"] }, "subject_types_supported": [ "public", "pairwise" ], "userinfo_signing_alg_values_supported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "userinfo_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "userinfo_encryption_enc_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "id_token_signing_alg_values_supported": [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "id_token_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "id_token_encryption_enc_values_supported": [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "request_object_signing_alg_values_supported": [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "request_object_encryption_alg_values_supported": [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "request_object_encryption_enc_values_supported": [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "display_values_supported": [ "page", "popup" ], "claim_types_supported": ["normal"], "service_documentation": "http://gluu.org/docs", "id_token_token_binding_cnf_values_supported": ["tbh"], "claims_locales_supported": ["en"], "ui_locales_supported": [ "en", "es" ], "scopes_supported": [ "address", "phone", "openid", "mobile_phone", "clientinfo", "user_name", "profile", "uma_protection", "permission", "oxd", "email" ], "claims_supported": [ "street_address", "country", "zoneinfo", "birthdate", "role", "gender", "formatted", "user_name", "phone_mobile_number", "preferred_username", "locale", "inum", "updated_at", "nickname", "email", "website", "email_verified", "profile", "locality", "phone_number_verified", "given_name", "middle_name", "picture", "name", "phone_number", "postal_code", "region", "family_name" ], "scope_to_claims_mapping": [ {"profile": [ "name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale", "updated_at" ]}, {"permission": ["role"]}, {"openid": []}, {"oxd": []}, {"email": [ "email_verified", "email" ]}, {"mobile_phone": ["phone_mobile_number"]}, {"uma_protection": []}, {"phone": [ "phone_number_verified", "phone_number" ]}, {"address": [ "formatted", "postal_code", "street_address", "locality", "country", "region" ]}, {"clientinfo": [ "name", "inum" ]}, {"user_name": ["user_name"]} ], "claims_parameter_supported": true, "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": false, "op_policy_uri": "http://ox.gluu.org/doku.php?id=oxauth:policy", "op_tos_uri": "http://ox.gluu.org/doku.php?id=oxauth:tos", "frontchannel_logout_supported": true, "frontchannel_logout_session_supported": true } ``` As per the GLUU Source Code it uses BouncyCastle Provider, which intern supports the PS256 Algo. For more information on PS256 refer to link below: https://connect2id.com/products/nimbus-jose-jwt/algorithm-selection-guide ##Expected GLUU Do GLUU support PS256 Algo for the signature and encryption for OpenID Connect configuration ? Thanks Bhupinder Singh > As describe in the presentation by Mike: https://www.slideshare.net/gluu/the-client-is-not-always-right-how-to-secure-oauth-authentication-from-your-app SLIDE Crypto guidelines RSA keys with a minimum 2048 bits if using RSA cryptography; Elliptic Curve keys with a minimum of 160 bits if using Elliptic Curve cryptography Client secret should have a minimum of 128 bits if using symmetric key cryptography Sign with PS256 (RSASSA-PSS using SHA-256 and MGF1 with SHA-256) or ES256 (ECDSA using P-256 and SHA-256)

By William Lowe user 13 Feb 2019 at 11:31 a.m. CST

William Lowe gravatar
Will be included in the next version, 3.1.6. Should be out by end of month. See here: https://github.com/GluuFederation/oxAuth/issues/997 Thanks, Will