[Openid-specs-ab] [openid/connect] Decryption of JWE encrypted request in the case of Self-issued OP and multi-persona (issue #657)
issues-reply at bitbucket.org
Fri Sep 28 02:53:45 UTC 2012
--- you can reply above this line ---
New issue 657: Decryption of JWE encrypted request in the case of Self-issued OP and multi-persona
There are 2 personas in Self-issued OP - persona p1 and p2 - and some RP - rp1.
End-user use rp1's service by both personas.
u1: user_id of p1 for rp1
k1: user_jwk(OP's public key) for p1. u1 = sha256(k1) // Standard 5.5
u2: user_id of p2 for rp1
k2: user_jwk for p2. u2 = sha256(k2)
rp1 cannot encrypt the request (user_jwk is contained in the response)
rp1 encrypt the request with k2.
OP cannot know that with which key the request is encrypted.
So OP must try to decrypt with k1, k2, ... kn until the request is successfully decrypted.
if JWE header contains jwt(jwk's thumbprint. currently undefined) parameter like x5t, OP may be able to find the key easily.
but it may be difficult to implement JWT/JWS/JWE library, because JWT library must also support key management.
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab