Hydra consent app generate consent response

[Wei Ma]

Hi,

   I am implementing a consent-app for Hydra Auth Server in Kotlin/Java. I have some questions regarding generateConsentResponse function.

1) we are getting a private key from authserver and using that key for signing, would this introduce some security risk? (private key over http)

2)After fetch the private key, I was not able to sign my jwt with it because the "Padding check" failed in java. Apparently there should be some relation between dp, dq, qi, p, and q. I was able to sign the jwt after manually dropping the p and q part. Do you have any insight with this issue?

Thanks,

Wei  

[aen...@gmail.com]

Hi Wei!

> 1) we are getting a private key from authserver and using that key for signing, would this introduce some security risk? (private key over http)

Transmitting private keys over http is always a significant security risk. That being set, transmitting it within a VPC/internal network is ok-ish, transmitting it over the internet is absolutely not.

> 2)After fetch the private key, I was not able to sign my jwt with it because the "Padding check" failed in java. Apparently there should be some relation between dp, dq, qi, p, and q. I was able to sign the jwt after manually dropping the p and q part. Do you have any insight with this issue?

AFAIK those values are "cache" values that reduce computing time. It is fine to discard them!