Identity and Access Management (IAM)

Expand all | Collapse all

jwt kid value(tfimsso)

  • 1.  jwt kid value(tfimsso)

    Posted 8 days ago
    ​Hi,

    Does anyone have a python script that calculates the kid value in the jwt based on the certificate.

    ------------------------------
    Regards Mikael
    ------------------------------


  • 2.  RE: jwt kid value(tfimsso)

    Posted 8 days ago
    KID is the Key ID. It is a static string to identify the key that was used to sign the JWT.
    You should be able to take the KID value from the JWT and compare it to the KID in the JWKS endpoint which would supply the public key for validating the signature is correct.
    If it's an id_token JWT then the "iss" issuer URL returned should point to the OAuth URL.
    If you add "/.well-known/openid-configuration" to that URL the openid config should include the "jwks_uri" which then points to the JWKS endpoint. If you then retrieve the JWKS the "kid" value in there should contain the "n & e" values being the Modulus (n) and Exponent (e) which is all you require to validate the jwt is correct.
    The site "jwt.io" is fantastic to validate that the JWT is correct since you can paste in the JWT, and if the openid-config is correct and the jwks endpoint returns the public cert then the site automagically downloads the public cert and you should get the green tick showing it is signed correctly.

    ------------------------------
    Peter Lambrechtsen
    ------------------------------



  • 3.  RE: jwt kid value(tfimsso)

    Posted 8 days ago
    Thanks for the reply @Peter Lambrechtsen

    The problem in "tfimsso" is when you are going to change the certificate that is used to sign the jwt you get a new kid and this kid needs to be added to a JWKS. You want to update/add the kid to JWKS before changing the cert otherwise the applications using the jwt will stop working. So that's why it would be nice to be able to calculate in beforehand.

    ------------------------------
    Regards Mikael
    ------------------------------



  • 4.  RE: jwt kid value(tfimsso)

    Posted 8 days ago
    The problem is it might not be a calculated value and for tfimsso it might just be a random string.
    I haven't used that part of ISAM but it is on my todo but the kid is typically a random string generated by the IDP rather than something that is calculated.
    So when you add a new public/private key for signing is added then the jwks should automatically be updated to include the new public key as a new key entry in the json array. Plus you know if it's RSxxx or PSxxx cert then the jwks key doesn't need to be a certificate it can just be a RSA Public/Private key and since RSA Public/Private keys don't include an expiry date as that is only included in a certificate.
    If the jwks has a n & e then it's just an RSA Public key, if there is a x5c then that is a the public certificate and it would be up to the client side to validate the certificate dates or not (and I have seen the date not always validated by the client).
    It's the iat & exp within the jwt itself that determines it's validity period of the token rather than if a certificate rather than rsa public/private key is used to sign the jwt is actually valid.
    https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html
    It is a important aspect that is often overlooked when validating JWTs that apart from good hygiene of cycling public/private keys ever two years or so there isn't any implementation requirement in RFC7518/9 to renew the signing keys as it doesn't need to be a certificate.

    ------------------------------
    Peter Lambrechtsen
    ------------------------------



  • 5.  RE: jwt kid value(tfimsso)

    Posted 8 days ago
    If you have a cluster of webseals everyone of them "must" generate the same kid (and they do) when using the same private key so i don't think it's random. And that's why it would be nice to be able calculate the kid in advanced (alg=RS256). I solve it by temporary exchanging  the cert , enable pdweb.debug make a request and then take out the kid from the jwt assertion header so i can put it in JWKS.

    navigating-rs256-and-jwks


    Many thanks for responding  :-)



    ------------------------------
    Regards Mikael
    ------------------------------