This topic contains 5 replies, has 2 voices, and was last updated by  Andrew 3 months, 2 weeks ago.

  • Author
    Posts
  • #25858
     Andrew 
    Participant

    The kid value in a JWT is optional – https://tools.ietf.org/html/rfc7515#section-4.1.4.

    Anyone know if there is a way to omit the kid value from a JWT generated as part of an OIDC Authorisation Code flow?

    Thanks

    #25861
     Peter Major 
    Moderator

    The kid value in the id_token allows remote parties to identify which key was used to sign the token. Is there a reason why that’s causing a problem for you?

    #25866
     Andrew 
    Participant

    I’m having a problem where a 3rd party is receiving a bearer token I’ve created and signed with the default public key. They want to use a certificate in their local certificate store rather than the kid and JWKS_URI. I have tested the public key and the certificate in OpenAM with my JWT on jwt.io and they validate fine.

    The 3rd party is getting this error:
    org.jose4j.jwt.consumer.InvalidJwtException: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to verify the signature with any of the provided keys – SHA-1 thumbs of provided certificates: [5eOfy1Nn2MMIKVRRkq0OgFAw348, xQNNUtnyjsoKPU8hgDZzxiWbjyg].): JsonWebSignature{“typ”:”JWT”,”kid”:”wU3ifIIaLOUAReRB/FG6eM1P1QM=”,”alg”:”RS256″}

    They have suggested the problem is that with the kid its not using the right certificate to verify the signature. So have asked if we can remove the kid from the JWT to verify – supposedly they asked this of others as their default.

    #25902
     Andrew 
    Participant

    Sort of on this track, is it possible to specify the kid value manually?

    #25911
     Peter Major 
    Moderator

    Customizing the key ID is possible since https://bugster.forgerock.org/jira/browse/OPENAM-14394 .

    It *seems* like the JOSE4j tries to generate thumbprints for your public keys, and the thumbprint does not match with the kid value generated by AM. Can you provide your public keys differently to the JOSE library so that it has the correct kid values?

    #25924
     Andrew 
    Participant

    Thanks Peter – We managed to get around this. The client was posting additional information with the JWT by mistake which invalidated the signature. We good now.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?