[Openid-specs-ab] We have published a discovery doc & JWK endpoint

Mike Jones Michael.Jones at microsoft.com
Tue Mar 18 16:10:37 UTC 2014


Breno and Naveen – can you please fix the syntax of the keys to use base64url encoding?

You should also plan to migrate to 2048 bit keys, but I understand that this is a larger issue.

Thanks for identifying these issues, James.

                                                            -- Mike

From: Manger, James [mailto:James.H.Manger at team.telstra.com]
Sent: Monday, March 17, 2014 11:48 PM
To: tbray at textuality.com
Cc: openid-security at lists.openid.net; Mike Jones
Subject: RE: [Openid-specs-ab] We have published a discovery doc & JWK endpoint

Tim,


>> Start at https://accounts.google.com/.well-known/openid-configuration

>>

>> Hope it works...


> Looks good.  I added this to the interop info at  http://osis.idcommons.net/wiki/OC5:Google_Deployment.


Actually it look bad.
That configuration includes

"jwks_uri": "https://www.googleapis.com/oauth2/v2/certs",
That JWK has two key. Calling raw keys “certs” is a curious choice.
Both keys are wrong.
They are 1024-bit RSA keys. The JWA spec says they MUST be 2048-bit or larger.
The "n" members (modulus) are base64-encoded, when they should be base64url-encoded. Note the presence of / and +.
They also start (after base64-decoding) with a leading 0x00 byte, whereas the spec says "n" is unsigned and “MUST utilize the minimum number of octets to represent the value”. There should be 1024/6=171 b64 chars, instead of (8+1024)/6=172.
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-23#section-6.3.1.1


https://www.googleapis.com/oauth2/v2/certs:

{

 "keys": [

  {

   "kty": "RSA",

   "alg": "RS256",

   "use": "sig",

   "kid": "36239103c08ce207082b721dfbc80bc8d800bff2",

   "n": "AKunY03zz/oJonovVNJjnjscjScnqtdtMEmnExJShJkoh8KjyHtH+TAldA7jrpQHDJnX81IxbkmH1JQMkgSKN4qVvJTqvA9RQFc6phN+7HU4JfPfpkYb3Jbnl35w4CXJkZoyXucAj4qw87szAgt2WBLrFoT08PjONmii5cmFR6BT",

   "e": "AQAB"

  },

  {

   "kty": "RSA",

   "alg": "RS256",

   "use": "sig",

   "kid": "7e18e2970941338884c88f2e789d7d8c519cd919",

   "n": "ALjEqP0OUMivrQUIPj39+ckmE3KBtDDNdJZLCxFRGT2gUETsbc/x+zUit5xvKWN4DbSlVCwHdvIQcEgTdG+HZTrCoPDkoiOW+DxX4j+IkpiS1hy3YL9gHbBD4J75dGGRTfavZ77fu4E0/a/3s22rOda21ZQlUhlUZtyUxUGpxxSj",

   "e": "AQAB"

  }

 ]

}


--
James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140318/66f3435c/attachment.html>


More information about the Openid-specs-ab mailing list