a few JWK quirks in the wild
124 views
Skip to first unread message
Brian Campbell
Jan 8, 2015, 1:32:33 PM1/8/15
to openid-conn...@googlegroups.com
Recently I mined some JWKS content from some of the participants in the OpenID Connect Interop 5 in order to create some 'real world' tests for the JWK support of the open source JOSE/JWT library I've been working on. While doing so I noticed some little quirks in a few of the JWKs, which I thought I should share here for the sake of improving interoperability. This is hardly a complete survey but just some things that jumped out.
The three EC JWKs at https://seed.gluu.org/oxauth/seam/resource/restv1/oxauth/jwks [1] have "alg":"EC", which isn't a valid JSON Web Signature or Encryption Algorithm as indicated that the alg value should be in JWK.[1] https://seed.gluu.org/oxauth/seam/resource/restv1/oxauth/jwks
[3] https://identity.thinktecture.com/.well-known/jwks
{"keys": [
{
"kty": "RSA",
"kid": "1",
"use": "sig",
"alg": "RS256",
"n": "AJYQhwMG7-PCPzmp-E8_Jz8zGVuIA0upMUrqOLa9lpcduLXlpgv_g525DU8vJ34GqNgYcsjNw2dvV03cWSU8VguWSC5ijHfhzf3cSbEJTcBOfCpbir8hRgAOkU4gqSf8rXTugyJ6jw4wiMEnLlk8j18chGQvn-bqKDw9aEqg_ssxz3f0yO_p4bl5_9n5FGQHGyZYv6B_PsAHZkm_DNDu7Wa_vfv8vnq3u_38uf4WC6S5cMR15B74Ja0ylR498h23E2riz9o7X2rLsL26JLUWSfjDw-twYqF4jt6oCGDIIv4zCYdpim-2L5qKMkASPAbWs_KfXIIhJuLohrpzOaqZh_k",
"e": "AQAB",
"x5c": ["MIIDMDCCAhgCgYBDSFLKDmTPKXlpVPR8EuhbSUGCgd2okr\/tL7sW9nlr6oKpNovrEFUL0YkqT59dNG7zldXJWY92VQDJSmpeRX6TX74efV1prpF4Y9sW5y0iu9njcAxE2zDBCM6rGWNf+WWajOajuYkbqEfOOl1PikQkFCliIUdDYSvId6Sco05tsjANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTEzMDIxMTIxMjQxMloXDTE0MDIxMTIxMjQxMlowHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJYQhwMG7+PCPzmp+E8\/Jz8zGVuIA0upMUrqOLa9lpcduLXlpgv\/g525DU8vJ34GqNgYcsjNw2dvV03cWSU8VguWSC5ijHfhzf3cSbEJTcBOfCpbir8hRgAOkU4gqSf8rXTugyJ6jw4wiMEnLlk8j18chGQvn+bqKDw9aEqg\/ssxz3f0yO\/p4bl5\/9n5FGQHGyZYv6B\/PsAHZkm\/DNDu7Wa\/vfv8vnq3u\/38uf4WC6S5cMR15B74Ja0ylR498h23E2riz9o7X2rLsL26JLUWSfjDw+twYqF4jt6oCGDIIv4zCYdpim+2L5qKMkASPAbWs\/KfXIIhJuLohrpzOaqZh\/kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAA1c5yds2m89XnhEr+WFE8APdkveJDxa+p7R5TSR924+nq4v11UPzSqkpn+Nk\/QYM6uUBH1Z0axBgrFy\/auunXbtDfm\/HzQkTx+Dlq4DgcTzUKUC\/3ObfVQCEFCaKfbtg+PTM7QytJgeoGPbjWneIvgis3zvmCULknGt\/7CYh2URAaBkWitLBuYa0yCnPSfajNpnMrOEPBElsU0lC+ka4N\/C\/v5nvkfnneMDnr8UMV2OkRv+BDyoUg5HWgtWNV7AE0I7I89aVmLxWGp0tWwnZxbfbfGChGEhHHgx0eri9L4+Hd9l5ZP1csuojHoHHcMSmaT2\/4edG4Eyxm6C2GPrCGg=="]
},
{
"kty": "RSA",
"kid": "2",
"use": "sig",
"alg": "RS384",
"n": "ALs6oVo2LGaBb39Z8loTmhiZhZPq0wbfTpvhFjFoEXJRTLlucPYftbV3g_aTmUiL_Pz919nWCj-X2WOtE3g7du823qJqX8ieas_c7ehZcG8D-pxxUipRqBDX76Bw6jZ00QtEcc89MU4GJaROHcm0L8iQMkSZgIFN8u5_ZvtQzWyynXTmHve0nNMoVhTn1nrxK_dGotCDkzJZ3ph7Rjq5smxjoPGrzzeesCo9c_3edrD4jiFkDUlEOabvqfhTeX1K_X3HO-LHBBI2QxvP7U1MarxyP8TMsIQjjR1ggGNkdv4gtTK5AixjHlQYswQragzBWQ5dTrUNl366NNpYTD3-o3M",
"e": "AQAB",
"x5c": ["MIIDMDCCAhgCgYBmLjh1H5nHW466kS5EPsNmi+92mYsiRZ4Al+GOLr\/067Dpy\/qwiSHVcIsY0pPCORukIvwxf2CUHeKRg7HDD87jddENjlcEpUDNT9EjxixymSbrQEerPliD69MCTqGp6KyfRrf44cuEQFDdSQbYW+b25Ivms33sLim+\/5uENE7MbjANBgkqhkiG9w0BAQwFADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTEzMDIxMTIxMjQxM1oXDTE0MDIxMTIxMjQxM1owHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALs6oVo2LGaBb39Z8loTmhiZhZPq0wbfTpvhFjFoEXJRTLlucPYftbV3g\/aTmUiL\/Pz919nWCj+X2WOtE3g7du823qJqX8ieas\/c7ehZcG8D+pxxUipRqBDX76Bw6jZ00QtEcc89MU4GJaROHcm0L8iQMkSZgIFN8u5\/ZvtQzWyynXTmHve0nNMoVhTn1nrxK\/dGotCDkzJZ3ph7Rjq5smxjoPGrzzeesCo9c\/3edrD4jiFkDUlEOabvqfhTeX1K\/X3HO+LHBBI2QxvP7U1MarxyP8TMsIQjjR1ggGNkdv4gtTK5AixjHlQYswQragzBWQ5dTrUNl366NNpYTD3+o3MCAwEAATANBgkqhkiG9w0BAQwFAAOCAQEAS7rNA06jrBPCLMuUq38jlHolnPHQxS1Qg0aUUCNy955AMnoh4tF60ejIxIwiZIXZdWBR0cIDxV+8Cy3WYj4a8FDQnntVR0dREfGQyICf0v5reEenSj2u2DUHgCpwFbpmrh9UTjg0swU9G06LV+q\/arDq+ejK9Wty8fWBw7RSpx3s5nq7xuA+TY4wqGTtIdPAI1q4oWOHn0x65FV6Mwv3Lis8gSXIvBhzjkAIh6PXK7YMic43sR6MGOKCJ3iO5bqW2kSJ0KQXOv6nxUwrs9k2dgrTxdUwNycZEYiQEiXK\/sPHIhqEmRZK6H00dLz\/99K4ZLm17YeF+7g4Sk0ZkMarpw=="]
},
{
"kty": "RSA",
"kid": "3",
"use": "sig",
"alg": "RS512",
"n": "AK3SFO9Q0jJP1-n2ys7yyP70r149_EQ1z0EfgIg2qpAMXcuyDIWu-dqD05fkicN2izHAf463LydeRUXWAc058F-mYw8y69qcZyDxnqYu_IlmK77tDgE-oilPVF_JW3WMXAl3MHvhAQwc-2q2lLbs3qa6BqpZgXofiJdURaRS990qO1fqYm1ihT8hmq8WQmXbDS_0-L4sP3O8cK9FXWhWqtfC1yo0Ziv8OSQ3h8dYRFAupqESRpe3EzV5DICdHAdBBrSkLyfPTLIzavfCkhI4zB6VrxLF4l1yTo7ucfnobIUaiNEvwVwkytLrNM4HPk4dO8H0woEomqj4QzIPkUGLxLc",
"e": "AQAB",
"x5c": ["MIIDMDCCAhgCgYA6qJ8lNNfbB0VhX2UZLXLizoC1BCPEc2W25\/hJKay\/GXVMIA+42AvUqWSonkwDALudfWbPVR3vOqB8iq4O75aaGiEAw6roiOHHRVTCZm1PCH+TlGh+jATybe83cBtCGTmvt81Or4q0NK\/sJ3hi3e\/ds4IPn3eWScd1lhVUzIj2uDANBgkqhkiG9w0BAQ0FADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTEzMDIxMTIxMjQxM1oXDTE0MDIxMTIxMjQxM1owHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3SFO9Q0jJP1+n2ys7yyP70r149\/EQ1z0EfgIg2qpAMXcuyDIWu+dqD05fkicN2izHAf463LydeRUXWAc058F+mYw8y69qcZyDxnqYu\/IlmK77tDgE+oilPVF\/JW3WMXAl3MHvhAQwc+2q2lLbs3qa6BqpZgXofiJdURaRS990qO1fqYm1ihT8hmq8WQmXbDS\/0+L4sP3O8cK9FXWhWqtfC1yo0Ziv8OSQ3h8dYRFAupqESRpe3EzV5DICdHAdBBrSkLyfPTLIzavfCkhI4zB6VrxLF4l1yTo7ucfnobIUaiNEvwVwkytLrNM4HPk4dO8H0woEomqj4QzIPkUGLxLcCAwEAATANBgkqhkiG9w0BAQ0FAAOCAQEASyqKmhz7o5VjB5gKSBaLw9yqNo8zruYizkLKhUxzAdna6qz73ONAdXtrdok79Qpio2nlvyPgspF9rYKgwxguvHpTOkdCZ3LNPF4QLsn3I0vs3gr8+oXhXbA58kqsBSAyt54HDTa7Zh8c\/G1u5W\/0+lsgCwtMSzeISnNrqY3a3K97Uy6OoxDqWk8t4W1OgtYhi6wiq7BGQ9xg7QlwMrVNc165ixgaW46\/tpafONG7+WFaWnzROPHrh6rSv4diz8bd7MqDDVLB2q\/QolzWTtxHSgkFu1t5dNEQznJI5Ay\/txPKgRNiv3EhD8fv9EKsip1epKtsP5Il6mLktPBjZMHjMg=="]
},
{
"kty": "EC",
"kid": "4",
"use": "sig",
"alg": "EC",
"crv": "P-256",
"x": "eZXWiRe0I3TvHPXiGnvO944gjF1o4UmitH2CVwYIrPg",
"y": "AKFNss7S35tOsp5iY7-YuLGs2cLrTKFk80JvgVzMPHQ3",
"x5c": ["MIIBpDCCAUoCgYBCs6x21IvwVHFgJxiRegyHdSiEHFur9Wj2qM5oNkv6sFbbC75L849qCgMEzdtqIhCiCnFg6PaQdswHkcclXix+y0sycyIM6l429faY3jz5eQs5SYwXYkENStzTZBsWK6u7bPiV3HvjnIv+r1af8nvO5F0tiH0TC+auDj9FgRmYljAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTEzMDIxMTIxMjQxMVoXDTE0MDIxMTIxMjQxMVowHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHmV1okXtCN07xz14hp7zveOIIxdaOFJorR9glcGCKz4oU2yztLfm06ynmJjv5i4sazZwutMoWTzQm+BXMw8dDcwCgYIKoZIzj0EAwIDSAAwRQIhAI4aRAoTVm3was6UimA1lFL2RId+t\/fExaviosXNKg\/IAiBpZB4XXcnQISwauSJ1hXNnSEcONXdqvO5gDHu+X7QHLg=="]
},
{
"kty": "EC",
"kid": "5",
"use": "sig",
"alg": "EC",
"crv": "P-384",
"x": "XGp9ovRmtaBjlZKGI1XDBUB6F3d4Xov4JFKUCaeVjMD0_GAp20IB_wZz6howe3yi",
"y": "Vhy6zh3KOkDqSA5WP6BtDyS9CZR7RoCCWfwymBB3HIBIR_yl32hnSYXtlwEr2EoK",
"x5c": ["MIIB4zCCAWgCgYEA9v7jYfmKYNePYWQt6M8BQsvb4swqpVEYulCJq8bOKuhz5\/VgM8J8lGaClDRhY6msrtW16kRbZvnMvgKNBJ52TXGKtEFylMzDQ4k\/HYGb1w7FwlXVyv3TScFNm9JnfsMe7ecOcanRFn+hYjiZdEcTB85wLvpKRDlkpuIf0khB8iMwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTAeFw0xMzAyMTEyMTI0MTFaFw0xNDAyMTEyMTI0MTFaMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARcan2i9Ga1oGOVkoYjVcMFQHoXd3hei\/gkUpQJp5WMwPT8YCnbQgH\/BnPqGjB7fKJWHLrOHco6QOpIDlY\/oG0PJL0JlHtGgIJZ\/DKYEHccgEhH\/KXfaGdJhe2XASvYSgowCgYIKoZIzj0EAwIDaQAwZgIxAOV6rC\/muVarcSXaP9Z7Pn7aI3o5fixoVx6E\/xYTOg+H10FMsluIdahjt90fNJYiYAIxAO+IHenKHe2xr8RpphzqWnAexswcEI6A3drp1f24Z8XtTJHNIHAVP6wr88oz5+eFoQ=="]
},
{
"kty": "EC",
"kid": "6",
"use": "sig",
"alg": "EC",
"crv": "P-521",
"x": "KrVaPTvvYmUUSf_1UpwJt_Lg9UT-8OHD_AUd-d7-Q8Rfs4t-lTJ5KEyjbfMzTHsvNulWftuaMH6Ap3l5vbDb2nQ",
"y": "AIxSEGvlKlWZiN_Rc3VjBs5oVB5l-JfCZHm2LyZpOxAzWrpjHlK121H2ZngM8Ra8ggKa64hEMDE1fMV__C_EZv9m",
"x5c": ["MIICLDCCAY0CgYAcLY90WqvtOS1H1zyF0jrrHT549yccB4rk61J96JlOnRTbuTq7wWWgOm6csS+19GMRIIDk5njc6M50WUeCcFEURy9wmZKAW3\/PgOgnPydjnvBIIofOfZOVeaLjji64h7Ju\/Ur8Ki28sN5xeyz5iGhqst1CJ0RVBAbpT4IN2szemTAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTEzMDIxMTIxMjQxMVoXDTE0MDIxMTIxMjQxMVowHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEACq1Wj0772JlFEn\/9VKcCbfy4PVE\/vDhw\/wFHfne\/kPEX7OLfpUyeShMo23zM0x7LzbpVn7bmjB+gKd5eb2w29p0AIxSEGvlKlWZiN\/Rc3VjBs5oVB5l+JfCZHm2LyZpOxAzWrpjHlK121H2ZngM8Ra8ggKa64hEMDE1fMV\/\/C\/EZv9mMAoGCCqGSM49BAMCA4GMADCBiAJCAb+BYADga2su9Sejzgbfz4lrSPt1l7PWeyDXtTGqa8yvIf4f3Hudp272WeXxeBpL\/7EFtho8CvG8zhvrp7bC+E84AkIBv3V6seORxzsO5hv1mtAKIPdFmePIrKrGFqa7ESR56DZxVYeJ5GHi1gU4LJdGcUYDpz0GDqznxAmvA3AimrwAWUk="]
}
]}
[2] https://openidconnect.info/jwk/jwk.json{"keys":[{"alg":"RSA","mod":"4ZLcBYTH4S3b80iEkDKTAmLvNM3XkqgdQoLPtNgNoilmHD1wian5_EDl2IvwAJRug9I0TnhVuMZW3ylhsPxus3Iu70nCQbOdsoBCobNzm6RaLUsz6LjRa2mvLMHeG1CP5rGWiv5GwBU8DNuUf_uPWXMe9K3i3E27nm4NnwDcOMPETpr6PLB2h4iXsHrKGLIFPdoPx_TIcrbj7RR9vWtrkj1pHt2OnJy5cFmXXRc77SZw0qRouVD0cqiS0XPHTaoFgmFr1x7NdbENxMJZJ-VPaIqN0ht2tFX5oOCClhNjBTKc2U-c-b32ETtUnNUu1kHafS-V0qsobmy-Cq_gyyQY2w","exp":"AQAB","user":"sig"}]}[3] https://identity.thinktecture.com/.well-known/jwks
{"keys":[{"kty":"RSA","use":"sig","kid":"a3rMUgMFv9tPclLa6yF3zAkfquE","x5t":"a3rMUgMFv9tPclLa6yF3zAkfquE","e":"AQAB","n":"qnTksBdxOiOlsmRNd+mMS2M3o1IDpK4uAr0T4/YqO3zYHAGAWTwsq4ms+NWynqY5HaB4EThNxuq2GWC5JKpO1YirOrwS97B5x9LJyHXPsdJcSikEI9BxOkl6WLQ0UzPxHdYTLpR4/O+0ILAlXw8NU4+jB4AP8Sn9YGYJ5w0fLw5YmWioXeWvocz1wHrZdJPxS8XnqHXwMUozVzQj+x6daOv5FmrHU1r9/bbp0a1GLv4BbTtSh4kMyz1hXylho0EvPg5p9YIKStbNAW9eNWvv5R8HN7PPei21AsUqxekK0oW9jnEdHewckToX7x5zULWKwwZIksll0XnVczVgy7fCFw==","x5c":["MIIDBTCCAfGgAwIBAgIQNQb+T2ncIrNA6cKvUA1GWTAJBgUrDgMCHQUAMBIxEDAOBgNVBAMTB0RldlJvb3QwHhcNMTAwMTIwMjIwMDAwWhcNMjAwMTIwMjIwMDAwWjAVMRMwEQYDVQQDEwppZHNydjN0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqnTksBdxOiOlsmRNd+mMS2M3o1IDpK4uAr0T4/YqO3zYHAGAWTwsq4ms+NWynqY5HaB4EThNxuq2GWC5JKpO1YirOrwS97B5x9LJyHXPsdJcSikEI9BxOkl6WLQ0UzPxHdYTLpR4/O+0ILAlXw8NU4+jB4AP8Sn9YGYJ5w0fLw5YmWioXeWvocz1wHrZdJPxS8XnqHXwMUozVzQj+x6daOv5FmrHU1r9/bbp0a1GLv4BbTtSh4kMyz1hXylho0EvPg5p9YIKStbNAW9eNWvv5R8HN7PPei21AsUqxekK0oW9jnEdHewckToX7x5zULWKwwZIksll0XnVczVgy7fCFwIDAQABo1wwWjATBgNVHSUEDDAKBggrBgEFBQcDATBDBgNVHQEEPDA6gBDSFgDaV+Q2d2191r6A38tBoRQwEjEQMA4GA1UEAxMHRGV2Um9vdIIQLFk7exPNg41NRNaeNu0I9jAJBgUrDgMCHQUAA4IBAQBUnMSZxY5xosMEW6Mz4WEAjNoNv2QvqNmk23RMZGMgr516ROeWS5D3RlTNyU8FkstNCC4maDM3E0Bi4bbzW3AwrpbluqtcyMN3Pivqdxx+zKWKiORJqqLIvN8CT1fVPxxXb/e9GOdaR8eXSmB0PgNUhM4IjgNkwBbvWC9F/lzvwjlQgciR7d4GfXPYsE1vf8tmdQaY8/PtdAkExmbrb9MihdggSoGXlELrPA91Yce+fiRcKY3rQlNWVd4DOoJ/cPXsXwry8pWjNCo5JD8Q+RQ5yZEy7YPoifwemLhTdsBz3hlZr28oCGJ3kbnpW0xGvQb3VHSTVVbeei0CfXoW6iz1"]}]}
Dominick Baier
Jan 8, 2015, 1:37:27 PM1/8/15
to openid-conn...@googlegroups.com
Thanks! Will fix it.
Dominick Baier
Jan 8, 2015, 3:56:27 PM1/8/15
to openid-conn...@googlegroups.com
Should be fixed. Do you want to double check?
thanks!
Brian Campbell
Jan 8, 2015, 4:47:19 PM1/8/15
to openid-conn...@googlegroups.com
Hey Dominick, the new n value passes the eyeball check.
--
You received this message because you are subscribed to the Google Groups "OpenID Connect Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openid-connect-in...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mike Jones
Jan 8, 2015, 7:47:32 PM1/8/15
to Ryo Ito, openid-conn...@googlegroups.com
Mike Jones
Jan 8, 2015, 7:49:09 PM1/8/15
to Mike Schwartz, openid-conn...@googlegroups.com
Mike – did you see this feedback on the Gluu OpenID Connect implementation?
From: openid-conn...@googlegroups.com [mailto:openid-conn...@googlegroups.com]
On Behalf Of Brian Campbell
Sent: Thursday, January 08, 2015 10:32 AM
To: openid-conn...@googlegroups.com
Subject: a few JWK quirks in the wild
Recently I mined some JWKS content from some of the participants in the OpenID Connect Interop 5 in order to create some 'real world' tests for the JWK support of the open source JOSE/JWT library I've been working on. While doing so I noticed some little quirks in a few of the JWKs, which I thought I should share here for the sake of improving interoperability. This is hardly a complete survey but just some things that jumped out.
--
Reply all
Reply to author
Forward
0 new messages