[Openid-specs-ab] Issue #167: (rp-id_token-kid_absent_multiple_jwks) JWK set is invalid for this test (openid/certification)

Edmund Jay issues-reply at bitbucket.org
Wed Jul 29 21:43:07 UTC 2015


New issue 167: (rp-id_token-kid_absent_multiple_jwks) JWK set is invalid for this test
https://bitbucket.org/openid/certification/issues/167/rp-id_token-kid_absent_multiple_jwks-jwk

Edmund Jay:

The test description says : Identify that the 'kid' value is missing from the JOSE header and that the Issuer publishes multiple keys in its JWK Set document (referenced by 'jwks_uri'). Reject the ID Token since it can not be determined which key to use to verify the signature.

The JWK contains multiple keys but it contains 1 RS signature key, 1 RSA encryption key, 1 EC signature key, and 1 EC encryption key. The ID Token uses the RS256 signature so the key can be deduced from the JWK key set.

```
#!json

{
    "keys": [
        {
            "use": "enc",
            "n": "1uEIILfdysUFLySlD-vcCS5tP2hOVqAgAlcG0J-4et3HKop5GdwYK7Z5WDecQmSDWimYhypi5nII6uFkyGGSuZ-IWfvwKZh9A-KQ5VAO7frabRG7wgUnm7IMfO0h2BeL6AI75FloT45Yg65CXZLru4zECSk2g4vjzo7AigjsVdXMwKPkDgkG6e_70a9IrHGSRnlujBE8GHWgPIP51q5LuY9BLoQ2YW8PyWE4q1fFB3yFd2HX9NA1BeGLqO7Uj0WGW-v3ZDPvtkYKYAy0WcmK0k9RDmvcx_B5qQyK6oq32E-mdkmvhGSG3-Wie07LreQX4Z2xZZyVMpUGV8TxBBPHIQ",
            "e": "AQAB",
            "kty": "RSA",
            "kid": "a0"
        },
        {
            "use": "sig",
            "n": "tAAzYdbiWDAKI8Q3s1crQRuVp0QXpyGgnzx_sGItC2rhdug68gE9v5mfK-7SJCBpuZXzX1YevJ25B0LhNQSWqvb6gYwlNHs33G8VmSzjpqFazItnhKMPnEehCXmPl7iFi8VV0NCC5_uH9xP61TClWsE8B7i4CV6y9B0hZI22p2M",
            "e": "AQAB",
            "kty": "RSA",
            "kid": "a1"
        },
        {
            "use": "sig",
            "crv": "P-256",
            "kty": "EC",
            "y": "BDoCmY-d67RHNgVfRcvU0F8aqsVB35qK0_DpfAZD-n4",
            "x": "akQjlPEXU4vdVTt-nvDesLWBBS79F9AJU_VWgMJ1Lk4",
            "kid": "a2"
        },
        {
            "use": "enc",
            "crv": "P-256",
            "kty": "EC",
            "y": "MDsXIqi5GWYJV3hYDCZePTjdZWebVGu8aiOuiJzmpYU",
            "x": "G466361H0oupaNZ762m0V81EDzrmprXIEmnpWgR2eW4",
            "kid": "a3"
        }
    ]
}
```




More information about the Openid-specs-ab mailing list