Comments (5)
If you are including a kid in your jwt access token, then make sure it is generated the same way that doorkeeper-open_id_connect generates it's kid in the jwks_uri.
For those curious, the following worked for me:
token_headers do |opts|
key = OpenSSL::PKey.read File.read('<private_key>.pem')
{ kid: JSON::JWK.new(key)[:kid] }
end
from doorkeeper-openid_connect.
@janz93 thanks for raising this issue!
- Yes this should be possible in principle, as the
jwks_uri
responds with akeys: []
array. - Not sure, I'm not familiar with the
doorkeeper-jwt
gem or how JWTs are used in OAuth outside of an OIDC context. It sounds like it would make sense to havedoorkeeper-jwt
as a dependency so the configuration could be shared. Note that it's currently not needed if you just want to usedoorkeeper-openid_connect
, we do our own JWT setup in this gem.
from doorkeeper-openid_connect.
@toupeira thank you for your response. Regarding the second point. I think since both gems are doing their own JWT setup a solution can not be found here in this issue. For the first point if possible I would like to take on this enhancement and create a PR with a possible solution for it.
from doorkeeper-openid_connect.
For the first point if possible I would like to take on this enhancement and create a PR with a possible solution for it.
@janz93 Sure that would be awesome! The only thing you have to watch out for is to still support a non-array value in existing configurations.
Regarding the second point. I think since both gems are doing their own JWT setup a solution can not be found here in this issue.
Yeah I guess there would be ways to do it, but not very cleanly 😉
from doorkeeper-openid_connect.
@janz93 We got around this by using the same key pair for doorkeeper-jwt as we did for doorkeeper-open_id_connect. If you are including a kid
in your jwt access token, then make sure it is generated the same way that doorkeeper-open_id_connect generates it's kid
in the jwks_uri
With that said, we would like to be able to rotate the keys that are used to sign the jwt access token / id token and be able to have the jwks_uri
include the old public key as well as the newer one.
from doorkeeper-openid_connect.
Related Issues (20)
- `/.well-known/openid-configuration` crashes when `Doorkeeper.config.allow_token_introspection` is false HOT 1
- Shouldn't controllers inherit `Doorkeeper::ApplicationMetalController`? HOT 1
- Using `root_url` in `#webfinger_response` can violate specification
- `access_grant_class` is broken. HOT 7
- Possible to disable `client_secret_basic` for `token_endpoint_auth_methods_supported`?
- RP-initiated logout post_logout_redirect_uri is not validatable
- Broken with Doorkeeper v5.6.3
- uninitialized constant Doorkeeper::JWT::JWK in 1.8.4 HOT 8
- OpenID working with rails app HOT 5
- Support for sessions and session_state HOT 1
- Support multiple devise models
- `kid` value in headers in different format after upgrading from 1.8.3 to 1.8.5 HOT 2
- Missing v1.8.5 tag HOT 2
- NameError: uninitialized constant Doorkeeper::JWT::JWK HOT 6
- kid is different for different versions of doorkeeper-openid_connect HOT 1
- Certificate verify failed from SSL
- Doorkeeper patch v5.6.8 modified exception handling to require objects instead of symbols HOT 2
- some combinations of prompt causes double rendering/redirection
- Support dynamic signing_key
- Customize webfinger responses
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from doorkeeper-openid_connect.