From 17af2502c7d2f67a9e35760f7fa204a7ec84731a Mon Sep 17 00:00:00 2001 From: Orie Steele Date: Fri, 7 Jul 2023 17:33:11 -0500 Subject: [PATCH 01/12] Add key discovery example --- index.html | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 89 insertions(+), 1 deletion(-) diff --git a/index.html b/index.html index 1121a6ad..8414a341 100644 --- a/index.html +++ b/index.html @@ -474,7 +474,95 @@

Well Known URIs

- +
+

OpenID Connect

+

+ OIDC uses Well-Known Uniform Resource Identifiers (URIs) + to enable issuer key discovery. +

+
    +
  1. +

    + The verifier (or relying party), + decodes the JWT claimset, and obtains the iss claim. +

    +
    2. +
  2. +

    + The iss is converted to the well known open id connect configuration + endpoint by applying the following template URI. +

    + 
    +            https://{iss}/.well-known/openid-configuration
+
    +
    3. +
  3. +

    + The OIDC Configuration Endpoint URL is dereferenced to a JSON document which contains issuer configuration details, + one of which is the jwks_uri. This URL might also be well known, for example: +

    + 
    +            https://{iss}/.well-known/jwks
+
    +
    4. +
  4. +

    + The OIDC jwks_uri is dereferenced to a JSON Web Key Set. +

    +

    + The content type of the key set could be + application/jwk-set+json + or application/json. +

    +

    + Here is an example of a key set used by an issuer: +

    + 
    +{
+  "keys": [
+    {
+      "alg": "RS256",
+      "kty": "RSA",
+      "use": "sig",
+      "n": "wW9TkSbcn5FV3iUJ-812sqTvwTGCFrDm6vD2U-g23gn6rrBdFZQbf2bgEnSkolph6CanOYTQ1lKVhKjHLd6Q4MDVGidbVBhESxib2YIzJVUS-0oQgizkBEJxyHI4Zl3xX_sdA_yegLUi-Ykt_gaMPSw_vpxe-pBxu-jd14i-jDfwoPJUdF8ZJGS9orCPRiHCYLDgOscC9XibH9rUbTvG8q4bAPx9Ox6malx4OLvU3pXVjew6LG3iBi2YhpCWe6voMvZJYXqC1n5Mk_KOdGcCFtDgu3I56SGSfsF7-tI7qG1ZO8RMuzqH0LkJVirujYzXrnMZ7WgbMPXmHU8i4z04zw",
+      "e": "AQAB",
+      "kid": "NTBGNTJEMDc3RUE3RUVEOTM4NDcyOEFDNzEyOTY5NDNGOUQ4OEU5OA",
+      "x5t": "NTBGNTJEMDc3RUE3RUVEOTM4NDcyOEFDNzEyOTY5NDNGOUQ4OEU5OA",
+      "x5c": [
+        "MIIDCzCCAfOgAwIBAgIJANPng0XRWwsdMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNVBAMMEWNvbnRvc28uYXV0aDAuY29tMB4XDTE0MDcxMTE2NTQyN1oXDTI4MDMxOTE2NTQyN1owHDEaMBgGA1UEAwwRY29udG9zby5hdXRoMC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBb1ORJtyfkVXeJQn7zXaypO/BMYIWsObq8PZT6DbeCfqusF0VlBt/ZuASdKSiWmHoJqc5hNDWUpWEqMct3pDgwNUaJ1tUGERLGJvZgjMlVRL7ShCCLOQEQnHIcjhmXfFf+x0D/J6AtSL5iS3+Bow9LD++nF76kHG76N3XiL6MN/Cg8lR0XxkkZL2isI9GIcJgsOA6xwL1eJsf2tRtO8byrhsA/H07HqZqXHg4u9TeldWN7DosbeIGLZiGkJZ7q+gy9klheoLWfkyT8o50ZwIW0OC7cjnpIZJ+wXv60juobVk7xEy7OofQuQlWKu6NjNeucxntaBsw9eYdTyLjPTjPAgMBAAGjUDBOMB0GA1UdDgQWBBTLarHdkNa5CzPyiKJU51t8JWn9WTAfBgNVHSMEGDAWgBTLarHdkNa5CzPyiKJU51t8JWn9WTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQA2FOjm+Bpbqk59rQBC0X6ops1wBcXH8clnXfG1G9qeRwLEwSef5HPz4TTh1f2lcf4Pcq2vF0HbVNJFnLVV+PjR9ACkto+v1n84i/U4BBezZyYuX2ZpEbv7hV/PWxg8tcVrtyPaj60UaA/pUA86CfYy+LckY4NRKmD7ZrcCzjxW2hFGNanfm2FEryxXA3RMNf6IiW7tbJ9ZGTEfA/DhVnZgh/e82KVX7EZnkB4MjCQrwj9QsWSMBtBiYp0/vRi9cxDFHlUwnYAUeZdHWTW+Rp2JX7Qwf0YycxgyjkGAUEZc4WpdNiQlwYf5G5epfOtHGiwiJS+u/nSYvqCFt57+g3R+"
+      ]
+    },
+    {
+      "alg": "RS256",
+      "kty": "RSA",
+      "use": "sig",
+      "n": "ylgVZbNR4nlsU_AbU8Zd7ZhVfmYuwq-RB1_YQWHY362pAed-qgSXV1QmKwCukQ2WDsPHWgpPuEf3O_acmJcCiSxhctpBr5WKkji5o50YX2FqC3xymGkYW5NilvFznKaKU45ulBVByrcb3Vt8BqqBAhaD4YywZZKo7mMudcq_M__f0_tB4fHsHHe7ehWobWtzAW7_NRP0_FjB4Kw4PiqJnChPvfbuxTCEUcIYrshRwD6GF4D_oLdeR44dwx4wtEgvPOtkQ5XIGrhQC_sgWcb2jh7YXauVUjuPezP-VkK7Wm9mZRe758q43SWxwT3afo5BLa3_YLWazqcpWRXn9QEDWw",
+      "e": "AQAB",
+      "kid": "aMIKy_brQk3nLd0PKd9ln",
+      "x5t": "-xcTyx47q3ddycG7LtE6QCcETbs",
+      "x5c": [
+        "MIIC/TCCAeWgAwIBAgIJH62yWyX7VxxQMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNVBAMTEWNvbnRvc28uYXV0aDAuY29tMB4XDTIwMDMxMTE5Mjk0N1oXDTMzMTExODE5Mjk0N1owHDEaMBgGA1UEAxMRY29udG9zby5hdXRoMC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKWBVls1HieWxT8BtTxl3tmFV+Zi7Cr5EHX9hBYdjfrakB536qBJdXVCYrAK6RDZYOw8daCk+4R/c79pyYlwKJLGFy2kGvlYqSOLmjnRhfYWoLfHKYaRhbk2KW8XOcpopTjm6UFUHKtxvdW3wGqoECFoPhjLBlkqjuYy51yr8z/9/T+0Hh8ewcd7t6Fahta3MBbv81E/T8WMHgrDg+KomcKE+99u7FMIRRwhiuyFHAPoYXgP+gt15Hjh3DHjC0SC8862RDlcgauFAL+yBZxvaOHthdq5VSO497M/5WQrtab2ZlF7vnyrjdJbHBPdp+jkEtrf9gtZrOpylZFef1AQNbAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPVdE4SPvuhlODV0GOcPE4QZ7xNuMA4GA1UdDwEB/wQEAwIChDANBgkqhkiG9w0BAQsFAAOCAQEAu2nhfiJk/Sp49LEsR1bliuVMP9nycbSz0zdp2ToAy0DZffTd0FKk/wyFtmbb0UFTD2aOg/WZJLDc+3dYjWQ15SSLDRh6LV45OHU8Dkrc2qLjiRdoh2RI+iQFakDn2OgPNgquL+3EEIpbBDA/uVoOYCbkqJNaNM/egN/s2vZ6Iq7O+BprWX/eM25xw8PMi+MU4K2sJpkcDRwoK9Wy8eeSSRIGYnpKO42g/3QI9+BRa5uD+9shG6n7xgzAPGeldUXajCThomwO8vInp6VqY8k3IeLEYoboJj5KMfJgOWUkmaoh6ZBJHnCogvSXI35jbxCxmHAbK+KdTka/Yg2MadFZdA=="
+      ]
+    }
+  ]
+}
+
    +
    5. +
  5. +

    + The verifier (or relying party), + uses kid from the protected header of the JWT, + to identify the publc key, controlled by the issuer, used to verify the token. +

    +

    + The verifier (or relying party), + verifies the signature on the JWT. + After verification, the claims the issuer has made about the subject can be reviewed or processed, + because the integrity of the claims has been protected by a digital signature verification. +

    +
    6. +
+
From e5a5fc4f294eda66f0a13e1637d3b1b9a74c32d4 Mon Sep 17 00:00:00 2001 From: Orie Steele Date: Fri, 7 Jul 2023 17:41:32 -0500 Subject: [PATCH 02/12] Fix respec warning --- index.html | 2 -- 1 file changed, 2 deletions(-) diff --git a/index.html b/index.html index 8414a341..5c382337 100644 --- a/index.html +++ b/index.html @@ -843,8 +843,6 @@

application/vp+ld+jwt

As defined in this specification. See also the security considerations in [[RFC7519]].

- -

Be advised, per the [[VC-DATA-MODEL]], verifiable presentations are not required to be secured. From 45d666dd0baca6f0f4a22fd9dc8ecbfe87a6c9dc Mon Sep 17 00:00:00 2001 From: Orie Steele Date: Fri, 7 Jul 2023 17:47:19 -0500 Subject: [PATCH 03/12] Remove issue marker that is breaking respec --- index.html | 1 - 1 file changed, 1 deletion(-) diff --git a/index.html b/index.html index 5c382337..52b7d63f 100644 --- a/index.html +++ b/index.html @@ -388,7 +388,6 @@

Key Discovery

-

From 249eb44fd1cdb384e25e38d84d3882b451d39a96 Mon Sep 17 00:00:00 2001 From: Orie Steele Date: Wed, 12 Jul 2023 18:31:42 -0500 Subject: [PATCH 04/12] Update index.html Co-authored-by: Ted Thibodeau Jr --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 52b7d63f..92bc8422 100644 --- a/index.html +++ b/index.html @@ -482,7 +482,7 @@

OpenID Connect

  1. - The verifier (or relying party), + The verifier (or relying party) decodes the JWT claimset, and obtains the iss claim.

    2. From e7b921572231352a692ffd2f927aae4330fd68e9 Mon Sep 17 00:00:00 2001 From: Orie Steele Date: Wed, 12 Jul 2023 18:31:57 -0500 Subject: [PATCH 05/12] Update index.html Co-authored-by: Ted Thibodeau Jr --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 92bc8422..7cd0ddb9 100644 --- a/index.html +++ b/index.html @@ -488,7 +488,7 @@

    OpenID Connect

  2. - The iss is converted to the well known open id connect configuration + The iss value is converted to the well-known OpenID Connect Configuration endpoint by applying the following template URI. 

    
From 53d4da8ca2b0d48115f5f6738e7531b7005622bc Mon Sep 17 00:00:00 2001
From: Orie Steele 
Date: Wed, 12 Jul 2023 18:32:22 -0500
Subject: [PATCH 06/12] Update index.html

Co-authored-by: Ted Thibodeau Jr 
---
 index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.html b/index.html
index 7cd0ddb9..d4b8816b 100644
--- a/index.html
+++ b/index.html
@@ -489,7 +489,7 @@ 
    OpenID Connect
    
         
  3. 
           
    
             The iss value is converted to the well-known OpenID Connect Configuration 
-            endpoint by applying the following template URI.
+            Endpoint URL by applying the following URI template:
           
    
           
                 https://{iss}/.well-known/openid-configuration

From a9f8cab17534c9826c3f2a41f26c66eb330ec11e Mon Sep 17 00:00:00 2001
From: Orie Steele 
Date: Wed, 12 Jul 2023 18:32:29 -0500
Subject: [PATCH 07/12] Update index.html

Co-authored-by: Ted Thibodeau Jr 
---
 index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.html b/index.html
index d4b8816b..cea0ed86 100644
--- a/index.html
+++ b/index.html
@@ -498,7 +498,7 @@ 
    OpenID Connect
    
         
  4. 
           
    
             The OIDC Configuration Endpoint URL is dereferenced to a JSON document which contains issuer configuration details,
-            one of which is the jwks_uri. This URL might also be well known, for example:
+            one of which is the jwks_uri. This URL might also be well-known, for example:
           
    
           
                 https://{iss}/.well-known/jwks

From 03b73b8e98b335ea28aa2931334e602f81672846 Mon Sep 17 00:00:00 2001
From: Orie Steele 
Date: Wed, 12 Jul 2023 18:32:39 -0500
Subject: [PATCH 08/12] Update index.html

Co-authored-by: Ted Thibodeau Jr 
---
 index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.html b/index.html
index cea0ed86..df5baf21 100644
--- a/index.html
+++ b/index.html
@@ -549,7 +549,7 @@ 
    OpenID Connect
    
         
    5. 
         
  5. 
           
    
-            The verifier (or relying party), 
+            The verifier (or relying party)
             uses kid from the protected header of the JWT, 
             to identify the publc key, controlled by the issuer, used to verify the token.
           
    

From 33b1e4f7480f6594234b5c900027521e38d9052d Mon Sep 17 00:00:00 2001
From: Orie Steele 
Date: Wed, 12 Jul 2023 18:32:45 -0500
Subject: [PATCH 09/12] Update index.html

Co-authored-by: Ted Thibodeau Jr 
---
 index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/index.html b/index.html
index df5baf21..3f696965 100644
--- a/index.html
+++ b/index.html
@@ -550,8 +550,8 @@ 
    OpenID Connect
    
         
  6. 
           
    
             The verifier (or relying party)
-            uses kid from the protected header of the JWT, 
-            to identify the publc key, controlled by the issuer, used to verify the token.
+            uses kid from the protected header of the JWT
+            to identify the public key, controlled by the issuer, used to verify the token.
           
    
           
    
             The verifier (or relying party), 

From 302ac19ebafb596c47e8f67bc212ad76c809fbc4 Mon Sep 17 00:00:00 2001
From: Orie Steele 
Date: Wed, 12 Jul 2023 18:32:53 -0500
Subject: [PATCH 10/12] Update index.html

Co-authored-by: Ted Thibodeau Jr 
---
 index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.html b/index.html
index 3f696965..0363a173 100644
--- a/index.html
+++ b/index.html
@@ -554,7 +554,7 @@ 
    OpenID Connect
    
             to identify the public key, controlled by the issuer, used to verify the token.
           
    
           
    
-            The verifier (or relying party), 
+            The verifier (or relying party)
             verifies the signature on the JWT.
             After verification, the claims the issuer has made about the subject can be reviewed or processed, 
             because the integrity of the claims has been protected by a digital signature verification.

From c7c7bdb30310d0c88c7eb9c46205ecc43fcff1e7 Mon Sep 17 00:00:00 2001
From: Orie Steele 
Date: Thu, 13 Jul 2023 13:31:54 -0500
Subject: [PATCH 11/12] Update index.html

Co-authored-by: Ted Thibodeau Jr 
---
 index.html | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/index.html b/index.html
index 0363a173..59fb5665 100644
--- a/index.html
+++ b/index.html
@@ -551,7 +551,8 @@ 
    OpenID Connect
    
           
    
             The verifier (or relying party)
             uses kid from the protected header of the JWT
-            to identify the public key, controlled by the issuer, used to verify the token.
+            to identify the public key, controlled by the issuer, and uses it to verify
+            the token.
           
    
           
    
             The verifier (or relying party)

From eb55c5c28d37484bd9301ab01309a4dc5097ebba Mon Sep 17 00:00:00 2001
From: Orie Steele 
Date: Fri, 14 Jul 2023 14:43:52 -0500
Subject: [PATCH 12/12] Update index.html

---
 index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.html b/index.html
index 59fb5665..d7795eb3 100644
--- a/index.html
+++ b/index.html
@@ -476,7 +476,7 @@ 
    Well Known URIs
    
     
    
       
    OpenID Connect
    
       
    
-        OIDC uses Well-Known Uniform Resource Identifiers (URIs) 
+        OpenID Connect uses Well-Known Uniform Resource Identifiers (URIs) 
         to enable issuer key discovery.