[Openid-specs-ab] JWK Thumbprint / RFC 7638

Brian Campbell bcampbell at pingidentity.com
Tue Oct 20 17:19:52 UTC 2015


Not really. There was a "jkt" JOSE header defined in an early draft but it
was later pulled out.
https://tools.ietf.org/rfcdiff?url2=draft-ietf-jose-jwk-thumbprint-02.txt



On Mon, Oct 5, 2015 at 10:29 AM, Sergey Beryozkin <sberyozkin at gmail.com>
wrote:

> Hi Brian
>
> Finally got a chance to add these tests, luckily without having to tweak
> the source code :-), thanks for providing the extra test material:
> http://git-wip-us.apache.org/repos/asf/cxf/commit/bdad3fe6
>
> However, I wonder, can JWK thumbprints be used in the inter-operable way
> as JWS or JWE header values ? This is something I'd like to experiment with
> but so far I've only seen a text reference to thumbprints in a section
> describing Self-Signed OpenIdConnect providers
>
> Cheers, Sergey
> On 21/09/15 16:42, Brian Campbell wrote:
>
>> I added JWK Thumbprint support to my JOSE/JWT library
>> <https://bitbucket.org/b_c/jose4j> this morning. Does anyone else have
>> an implementation handy?
>>
>> The example in section 3.1
>> <http://tools.ietf.org/html/rfc7638#section-3.1> provided a nice
>>
>> opportunity to check my work with an "RSA" key type. However, there are
>> no examples for "EC" or "oct" keys. While it should be pretty
>> straightforward to implement, for me anyway, dumb little mistakes are
>> certainly within the realm of possibility. So, if anyone would like to
>> check their work against mine, a few JWKs followed by the base64url
>> encoded SHA-256 hash of the RFC 7638 thumbprint are below. I'd be
>> interested to hear if folks can (hopefully) reproduce the same results.
>>
>> {"kty":"oct",
>>   "k":"ZW8Eg8TiwoT2YamLJfC2leYpLgLmUAh_PcMHqRzBnMg"}
>> 7WWD36NF4WCpPaYtK47mM4o0a5CCeOt01JXSuMayv5g
>>
>>
>> {"kty":"EC",
>>   "x":"CEuRLUISufhcjrj-32N0Bvl3KPMiHH9iSw4ohN9jxrA",
>>   "y":"EldWz_iXSK3l_S7n4w_t3baxos7o9yqX0IjzG959vHc",
>>   "crv":"P-256"}
>> j4UYwo9wrtllSHaoLDJNh7MhVCL8t0t8cGPPzChpYDs
>>
>>
>> {"kty":"EC",
>>
>> "x":"Aeq3uMrb3iCQEt0PzSeZMmrmYhsKP5DM1oMP6LQzTFQY9-F3Ab45xiK4AJxltXEI-87g3gRwId88hTyHgq180JDt",
>>
>> "y":"ARA0lIlrZMEzaXyXE4hjEkc50y_JON3qL7HSae9VuWpOv_2kit8p3pyJBiRb468_U5ztLT7FvDvtimyS42trhDTu",
>>   "crv":"P-521"}
>> rz4Ohmpxg-UOWIWqWKHlOe0bHSjNUFlHW5vwG_M7qYg
>>
>>
>> {"kty":"EC",
>>   "x":"2jCG5DmKUql9YPn7F2C-0ljWEbj8O8-vn5Ih1k7Wzb-y3NpBLiG1BiRa392b1kcQ",
>>   "y":"7Ragi9rT-5tSzaMbJlH_EIJl6rNFfj4V4RyFM5U2z4j1hesX5JXa8dWOsE-5wPIl",
>>   "crv":"P-384"}
>> vZtaWIw-zw95JNzzURg1YB7mWNLlm44YZDZzhrPNetM
>>
>>
>> {"kty":"oct","k":"NGbwp1rC4n85A1SaNxoHow"}
>> 5_qb56G0OJDw-lb5mkDaWS4MwuY0fatkn9LkNqUHqMk
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20151020/8f09e979/attachment.html>


More information about the Openid-specs-ab mailing list