[security] [Openid-specs-ab] We have published a discovery doc & JWK endpoint
Manger, James
James.H.Manger at team.telstra.com
Tue Mar 18 06:47:45 UTC 2014
Tim,
>> Start at https://accounts.google.com/.well-known/openid-configuration
>>
>> Hope it works...
> Looks good. I added this to the interop info at http://osis.idcommons.net/wiki/OC5:Google_Deployment.
Actually it look bad.
That configuration includes
"jwks_uri": "https://www.googleapis.com/oauth2/v2/certs",
That JWK has two key. Calling raw keys “certs” is a curious choice.
Both keys are wrong.
They are 1024-bit RSA keys. The JWA spec says they MUST be 2048-bit or larger.
The "n" members (modulus) are base64-encoded, when they should be base64url-encoded. Note the presence of / and +.
They also start (after base64-decoding) with a leading 0x00 byte, whereas the spec says "n" is unsigned and “MUST utilize the minimum number of octets to represent the value”. There should be 1024/6=171 b64 chars, instead of (8+1024)/6=172.
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-23#section-6.3.1.1
https://www.googleapis.com/oauth2/v2/certs:
{
"keys": [
{
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"kid": "36239103c08ce207082b721dfbc80bc8d800bff2",
"n": "AKunY03zz/oJonovVNJjnjscjScnqtdtMEmnExJShJkoh8KjyHtH+TAldA7jrpQHDJnX81IxbkmH1JQMkgSKN4qVvJTqvA9RQFc6phN+7HU4JfPfpkYb3Jbnl35w4CXJkZoyXucAj4qw87szAgt2WBLrFoT08PjONmii5cmFR6BT",
"e": "AQAB"
},
{
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"kid": "7e18e2970941338884c88f2e789d7d8c519cd919",
"n": "ALjEqP0OUMivrQUIPj39+ckmE3KBtDDNdJZLCxFRGT2gUETsbc/x+zUit5xvKWN4DbSlVCwHdvIQcEgTdG+HZTrCoPDkoiOW+DxX4j+IkpiS1hy3YL9gHbBD4J75dGGRTfavZ77fu4E0/a/3s22rOda21ZQlUhlUZtyUxUGpxxSj",
"e": "AQAB"
}
]
}
--
James Manger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20140318/7582ed05/attachment.html>
More information about the security
mailing list