[Openid-specs-fapi] External : Re: External : Re: External : Re: External : FW: OBE JWS Profile - Version 0.10b for Approval

Anders Rundgren anders.rundgren.net at gmail.com
Tue Sep 22 14:27:54 UTC 2020


On 2020-09-22 16:16, Freddi Gyara wrote:
> Like so:
> 
> x-jws-signature: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..g8Tg-vFDVhoXSItpJO3syG1452wH2cftzWKL-L36YnA
> content-type: application/json
> 
> {
>      "iss": "Online JWT Builder",
>      "iat": 1600783889,
>      "exp": 1632319889,
>      "aud": "www.example.com",
>      "sub": "jrocket at example.com",
>      "Hello": "World"
> }

This was what I hoped.  I got confused by the line "The body is encoded" :)

Personally I maintain that the following is an even better model (based on RFC 8785):

content-type: application/json

{
     "iss": "Online JWT Builder",
     "iat": 1600783889,
     "exp": 1632319889,
     "aud": "www.example.com",
     "sub": "jrocket at example.com",
     "Hello": "World",
     "signature": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..gSQhGOAnFqRpuJglQ3FOF2zKq9eBC3a_Y0YfPvd8X_M"
}

Anders

> 
> 
> The html body is passed into the JWS signer lib resulting in a "normal" JWS: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MDA3ODM4ODksImV4cCI6MTYzMjMxOTg4OSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkhlbGxvIjoiV29ybGQifQ.g8Tg-vFDVhoXSItpJO3syG1452wH2cftzWKL-L36YnA
> 
> For the detached signature, you then simply drop the middle portion resulting in the sig in the header above
> 
> 
> -----Original Message-----
> From: Anders Rundgren <anders.rundgren.net at gmail.com>
> Sent: 22 September 2020 14:33
> To: Freddi Gyara <Freddi.Gyara at openbanking.org.uk>; FAPI Working Group List <openid-specs-fapi at lists.openid.net>
> Cc: Brian Campbell <bcampbell at pingidentity.com>
> Subject: External : Re: External : Re: [Openid-specs-fapi] External : Re: External : FW: OBE JWS Profile - Version 0.10b for Approval
> 
> On 2020-09-22 15:03, Freddi Gyara wrote:
>> The body is encoded - usually by the library that is meant to generate the JWT
> 
> Hi Freddy,
> 
> Now I'm confused.  You are using the detached mode while the body is Base64Url-encoded?
> Does your current scheme look a bit like the following?
> 
> x-detached-jwt-signature: eyJhbGciOiJIUzI1NiJ9..nhcg7D__M-CpBEEBvLFcwGpJnuz9craDxEvJx_b3yME
> Content-Type: application/jwt+b64
> 
> ew0KICAiSGVsbG8gT3BlbiBCYW5raW5nIjogInRoYW54ISINCn0
> 
> 
> Regards,
> Anders
> 
> Actual body content:
> {
>     "Hello Open Banking": "thanx!"
> }
> 
>>
>> -----Original Message-----
>> From: Anders Rundgren <anders.rundgren.net at gmail.com>
>> Sent: 22 September 2020 13:03
>> To: FAPI Working Group List <openid-specs-fapi at lists.openid.net>; Freddi Gyara <Freddi.Gyara at openbanking.org.uk>
>> Cc: Brian Campbell <bcampbell at pingidentity.com>
>> Subject: External : Re: [Openid-specs-fapi] External : Re: External : FW: OBE JWS Profile - Version 0.10b for Approval
>>
>> On 2020-09-22 10:39, Freddi Gyara via Openid-specs-fapi wrote:
>>>
>>> Around a year ago at least, must JWT libraries did not honour the ‘b64’ header (they simply ignored it). As a result, we ended up with signatures in the ecosystem where participants thought they were unencoded, but actually were and verification methods where they were trying to verify against un-encoded payloads. As you can imagine, it just caused a lot of confusion.
>>>
>>> We paused the implemented under a waiver which expired a few months ago and we are beginning to see very few issues with usage of signatures in the ecosystem (after an initial round of incorrect implementations that have largely been fixed). TBH, payment volumes are low, but increasing and we haven’t seen a similar increase in support tickets or complaints around signature generation and validation.
>>>
>>> The approach that is now followed is to b64 encode and sign the HTTP body, then drop the central part of the resulting JWT (as described in Appendix F).
>>>
>>
>> Hi Freddy,
>>
>> I don't understand how to interpret this.  Do you mean that the HTTP body actually is B64 encoded?
>>
>> If not, I don't see the point with b64-encoding.  I thought that was a part of a JWS library/encoder:
>> https://github.com/cyberphone/openkeystore/blob/ba7d8a9ec6b8c87dbad937481049dbcd81693a8d/library/src/org/webpki/jose/JOSESupport.java#L158
>>
>> thanx,
>> Anders
>>
>>
>> Please consider the environment before printing this email.
>>
>> This email is from Open Banking Limited, Company Number 10440081. Our registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.
>>
>> This email and any attachments are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).
>>
> 
> 
> 
> Please consider the environment before printing this email.
> 
> This email is from Open Banking Limited, Company Number 10440081. Our registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.
> 
> This email and any attachments are confidential and are intended for the above named only. They may also be legally privileged or covered by other legal rights and rules. Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal. If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email. You can also view our privacy policy (https://www.openbanking.org.uk/privacy-policy).
> 



More information about the Openid-specs-fapi mailing list