OpenId Connect

[Xavier Rodríguez]

Hello, 

I am configuring Apereo CAS 6.4.6.6 as an OpenId Connect server. Following the CAS documentation, I added the property to the server: 

cas.authn.oidc.jwks.file-system.jwks-file=file:/etc/cas/config/keystore.jwks 

Looking at the documentation on how to define a client in this protocol:

https://apereo.github.io/cas/7.2.x/authentication/OIDC-Authentication-Clients.html

This is very similar to CASE 6.4.6.6, it is written:

jwks -> Optional. Resource path to the keystore location that holds the keys for this application.

Isn't this the keytore.jwks that should sign the Id Token when it is generated for this service?

For example, I have:

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "serviceId" : "https:localhost:8443/openid-connect-demo/.*",
  "clientId": "openid_connect",
  "clientSecret": "AAAAAAAAAA",
  "name" : "Cas Server",
  "id" : 10290,
  "evaluationOrder" : 290,
  "bypassApprovalPrompt": true,
  "generateRefreshToken" : true,
  "jsonFormat" : true,
  "supportedGrantTypes" : [ "java.util.HashSet", [ "authorization_code", "password", "client_credentials", "refresh_token" ] ],
  "supportedResponseTypes" : [ "java.util.HashSet", [ "code", "token" ] ],
   ....
  "jwks": "file:/etc/cas/config/localhost/oidc/keystore3.jwks"
}

When I have the jwks property in this file, CAS automatically adds this new key to the path:

https://{SERVER_CAS_PATH}/cas/oidc/jwks

But when you have to sign the ID Token, always use the: 

cas.authn.oidc.jwks.file-system.jwks-file=file:/etc/cas/config/keystore.jwks

Shouldn't I use the signature defined in "jwks"? Am I doing something wrong? Am I missing something else to configure? 

Thanks!

- Xavier -