Feature request: implement kid checking to authentication request validation #23
Comments
|
That chapter describes how OP may retrieve a new keyset after noticing a new kid value (i.e. key containing the kid not found in the cached keyset) indicating that there may have been a key rollover. That chapter does not say OP should not iterate suitable keys (sig/enc) of the keyset when trying to validate the JWT. I actually tried to locate from the specs if our approach of trying each suitable key found from RP's keyset is blatantly wrong but could not found such. All I found was https://tools.ietf.org/html/rfc7515#section-6 that to me suggests it is not. That said, it still makes sense to use the kid to pick the correct key based on the kid value. |
|
Well, now that you mention it and to be frank, the actual requirement in this case comes from the Finnish Trust Network requirements (213/2018 S) in section 3.2.1. I will not link it here since those who are interested can find it. I even will not comment my own opinion about the specification. I can now see that you are correct. Originally this wasn't very detailed request at all. The key exchange and key selection really does need some more thinking in the FTN and that has been communicated quite strong to respective stakeholders. However, I wanted to relay you the worries that our partners have conveyed to us. |
Apparently the extension does not currently check for the kid value on request object header, but iterates all keys in the keyset. According to the core (10.1.1):
Please, would it be possible to consider implementing the core kind of way and using the JOSE Header kid value in selecting the key to validate the signature?
The text was updated successfully, but these errors were encountered: