IBM Verify

Hi,

i usually put all my oauth certificates in one kdb.

I have multiple OAUTH definitions (almost 100) and multiple JWKS urls (each with the oauth definition name in it) but the endpoint shows ALL the certificates in the KDB.

Apart from not needing to cross-share the certs with different partner i have a serious issue: some java library fail to manage the jwks content since its too big, and some partners complain about having to manage all the unneeded certificates when they only need one.

Is there a way to let the jwks endpoint from OAUTH definition "Pluto" to show only the "Pluto" cert?

The only workaround i found is to have a different kdb for each oauth definition but i don't want to end up with 100+ kdbs.

Thank you

S.

Hi Sascha!

Just curious to why would you have so many OAuth definitions to begin with?

------------------------------
Jonatan Wålegård

Original Message:
Sent: Thu August 01, 2024 07:30 AM
From: Sascha W
Subject: JWKS endpoint shows all cert in kdb

Hi,

i usually put all my oauth certificates in one kdb.

I have multiple OAUTH definitions (almost 100) and multiple JWKS urls (each with the oauth definition name in it) but the endpoint shows ALL the certificates in the KDB.

Apart from not needing to cross-share the certs with different partner i have a serious issue: some java library fail to manage the jwks content since its too big, and some partners complain about having to manage all the unneeded certificates when they only need one.

Is there a way to let the jwks endpoint from OAUTH definition "Pluto" to show only the "Pluto" cert?

The only workaround i found is to have a different kdb for each oauth definition but i don't want to end up with 100+ kdbs.

Thank you

S.

Hi, the customer needs to separate each oauth application as a separate entity.

The IDP for application A must be different from the IDP for application B so each token has a different issuer and different cert.

Original Message:
Sent: Thu August 01, 2024 08:23 AM
From: Jonatan Wålegård
Subject: JWKS endpoint shows all cert in kdb

Hi Sascha!

Just curious to why would you have so many OAuth definitions to begin with?

------------------------------
Jonatan Wålegård

Original Message:
Sent: Thu August 01, 2024 07:30 AM
From: Sascha W
Subject: JWKS endpoint shows all cert in kdb

Hi,

i usually put all my oauth certificates in one kdb.

I have multiple OAUTH definitions (almost 100) and multiple JWKS urls (each with the oauth definition name in it) but the endpoint shows ALL the certificates in the KDB.

Apart from not needing to cross-share the certs with different partner i have a serious issue: some java library fail to manage the jwks content since its too big, and some partners complain about having to manage all the unneeded certificates when they only need one.

Is there a way to let the jwks endpoint from OAUTH definition "Pluto" to show only the "Pluto" cert?

The only workaround i found is to have a different kdb for each oauth definition but i don't want to end up with 100+ kdbs.

Thank you

S.

Hi,

i usually put all my oauth certificates in one kdb.

I have multiple OAUTH definitions (almost 100) and multiple JWKS urls (each with the oauth definition name in it) but the endpoint shows ALL the certificates in the KDB.

Apart from not needing to cross-share the certs with different partner i have a serious issue: some java library fail to manage the jwks content since its too big, and some partners complain about having to manage all the unneeded certificates when they only need one.

Is there a way to let the jwks endpoint from OAUTH definition "Pluto" to show only the "Pluto" cert?

The only workaround i found is to have a different kdb for each oauth definition but i don't want to end up with 100+ kdbs.

Thank you

S.

I can probably help you with a crafty Lua HTTP transformation rule to filter out the jwks entries that you don't need based on the JWKS URL being accessed and the x5c of the key related to the application you wish to show (if there is only one). If there is something in the x5c that identifies the app (eg the CN contains something related to the OIDC definition name), then that would make the filtering "alogrithmic" rather than you having to manage a definition -> KID list yourself. Can you provide a sample of the current jwks data, an example of the definition name (i.e. JWKS URL that is used for a particular app), and which key from the JWKS that "app" relates to? Perhaps if there is some identifying string in the JWKS entry that maps to a part of the JWKS endpoint URL path, then you can get clever here and use a single HTTP transformation rule just applied to the response from each and every JWKS endpoint.

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Thu August 01, 2024 07:30 AM
From: Sascha W
Subject: JWKS endpoint shows all cert in kdb

Hi,

i usually put all my oauth certificates in one kdb.

I have multiple OAUTH definitions (almost 100) and multiple JWKS urls (each with the oauth definition name in it) but the endpoint shows ALL the certificates in the KDB.

Apart from not needing to cross-share the certs with different partner i have a serious issue: some java library fail to manage the jwks content since its too big, and some partners complain about having to manage all the unneeded certificates when they only need one.

Is there a way to let the jwks endpoint from OAUTH definition "Pluto" to show only the "Pluto" cert?

The only workaround i found is to have a different kdb for each oauth definition but i don't want to end up with 100+ kdbs.

Thank you

S.

In the interests of trying to get you to a solution quickly, here's a SAMPLE Lua HTTP transformation rule that might help start you in the right direction: 

https://github.com/sbweeden/blog_assets/blob/master/lua_http_transformations/jwks_filter_app.lua

There is a variable declared in it called definitionNameToCNList which maps an OAuth/OIDC definition name to a list of strings. Each string is a lower case DN, and if the subject of any of the certificates defined in an x5c array of any key in the JWKS matches any of these lower case DNs, then that key will be included in the JWKS endpoint response, otherwise it will be filtered out.

This takes a little while to get your head around, but basically if you listed all of your OIDC definitions, and for each you had an array (even if that array only contains one DN string) of the DNs of the certificates from keys you want included in the output for the JWKS endpoint for that OIDC definition, then only those keys you want for each definition will be returned. 

There is a comment block at the top of the file that shows how I configured it in the webseal configuration file. 

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Mon August 05, 2024 12:40 AM
From: Shane Weeden
Subject: JWKS endpoint shows all cert in kdb

I can probably help you with a crafty Lua HTTP transformation rule to filter out the jwks entries that you don't need based on the JWKS URL being accessed and the x5c of the key related to the application you wish to show (if there is only one). If there is something in the x5c that identifies the app (eg the CN contains something related to the OIDC definition name), then that would make the filtering "alogrithmic" rather than you having to manage a definition -> KID list yourself. Can you provide a sample of the current jwks data, an example of the definition name (i.e. JWKS URL that is used for a particular app), and which key from the JWKS that "app" relates to? Perhaps if there is some identifying string in the JWKS entry that maps to a part of the JWKS endpoint URL path, then you can get clever here and use a single HTTP transformation rule just applied to the response from each and every JWKS endpoint.

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Thu August 01, 2024 07:30 AM
From: Sascha W
Subject: JWKS endpoint shows all cert in kdb

Hi,

i usually put all my oauth certificates in one kdb.

I have multiple OAUTH definitions (almost 100) and multiple JWKS urls (each with the oauth definition name in it) but the endpoint shows ALL the certificates in the KDB.

Apart from not needing to cross-share the certs with different partner i have a serious issue: some java library fail to manage the jwks content since its too big, and some partners complain about having to manage all the unneeded certificates when they only need one.

Is there a way to let the jwks endpoint from OAUTH definition "Pluto" to show only the "Pluto" cert?

The only workaround i found is to have a different kdb for each oauth definition but i don't want to end up with 100+ kdbs.

Thank you

S.

Hi Shane, thank for you reply and your effort in writing this lua script.

my cns are not lower case, can i just put it in the json in lower case and it will work?

In the interests of trying to get you to a solution quickly, here's a SAMPLE Lua HTTP transformation rule that might help start you in the right direction: 

https://github.com/sbweeden/blog_assets/blob/master/lua_http_transformations/jwks_filter_app.lua

There is a variable declared in it called definitionNameToCNList which maps an OAuth/OIDC definition name to a list of strings. Each string is a lower case DN, and if the subject of any of the certificates defined in an x5c array of any key in the JWKS matches any of these lower case DNs, then that key will be included in the JWKS endpoint response, otherwise it will be filtered out.

This takes a little while to get your head around, but basically if you listed all of your OIDC definitions, and for each you had an array (even if that array only contains one DN string) of the DNs of the certificates from keys you want included in the output for the JWKS endpoint for that OIDC definition, then only those keys you want for each definition will be returned. 

There is a comment block at the top of the file that shows how I configured it in the webseal configuration file. 

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Mon August 05, 2024 12:40 AM
From: Shane Weeden
Subject: JWKS endpoint shows all cert in kdb

I can probably help you with a crafty Lua HTTP transformation rule to filter out the jwks entries that you don't need based on the JWKS URL being accessed and the x5c of the key related to the application you wish to show (if there is only one). If there is something in the x5c that identifies the app (eg the CN contains something related to the OIDC definition name), then that would make the filtering "alogrithmic" rather than you having to manage a definition -> KID list yourself. Can you provide a sample of the current jwks data, an example of the definition name (i.e. JWKS URL that is used for a particular app), and which key from the JWKS that "app" relates to? Perhaps if there is some identifying string in the JWKS entry that maps to a part of the JWKS endpoint URL path, then you can get clever here and use a single HTTP transformation rule just applied to the response from each and every JWKS endpoint.

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Thu August 01, 2024 07:30 AM
From: Sascha W
Subject: JWKS endpoint shows all cert in kdb

Hi,

i usually put all my oauth certificates in one kdb.

I have multiple OAUTH definitions (almost 100) and multiple JWKS urls (each with the oauth definition name in it) but the endpoint shows ALL the certificates in the KDB.

Apart from not needing to cross-share the certs with different partner i have a serious issue: some java library fail to manage the jwks content since its too big, and some partners complain about having to manage all the unneeded certificates when they only need one.

Is there a way to let the jwks endpoint from OAUTH definition "Pluto" to show only the "Pluto" cert?

The only workaround i found is to have a different kdb for each oauth definition but i don't want to end up with 100+ kdbs.

Thank you

S.

Yes. Read the code and try it first. I comment the debug loging output too as you observe what it does. The LoggingUtils Lua file is in the same directory. 

Hi Shane, thank for you reply and your effort in writing this lua script.

my cns are not lower case, can i just put it in the json in lower case and it will work?

In the interests of trying to get you to a solution quickly, here's a SAMPLE Lua HTTP transformation rule that might help start you in the right direction: 

https://github.com/sbweeden/blog_assets/blob/master/lua_http_transformations/jwks_filter_app.lua

There is a variable declared in it called definitionNameToCNList which maps an OAuth/OIDC definition name to a list of strings. Each string is a lower case DN, and if the subject of any of the certificates defined in an x5c array of any key in the JWKS matches any of these lower case DNs, then that key will be included in the JWKS endpoint response, otherwise it will be filtered out.

This takes a little while to get your head around, but basically if you listed all of your OIDC definitions, and for each you had an array (even if that array only contains one DN string) of the DNs of the certificates from keys you want included in the output for the JWKS endpoint for that OIDC definition, then only those keys you want for each definition will be returned. 

There is a comment block at the top of the file that shows how I configured it in the webseal configuration file. 

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Mon August 05, 2024 12:40 AM
From: Shane Weeden
Subject: JWKS endpoint shows all cert in kdb

I can probably help you with a crafty Lua HTTP transformation rule to filter out the jwks entries that you don't need based on the JWKS URL being accessed and the x5c of the key related to the application you wish to show (if there is only one). If there is something in the x5c that identifies the app (eg the CN contains something related to the OIDC definition name), then that would make the filtering "alogrithmic" rather than you having to manage a definition -> KID list yourself. Can you provide a sample of the current jwks data, an example of the definition name (i.e. JWKS URL that is used for a particular app), and which key from the JWKS that "app" relates to? Perhaps if there is some identifying string in the JWKS entry that maps to a part of the JWKS endpoint URL path, then you can get clever here and use a single HTTP transformation rule just applied to the response from each and every JWKS endpoint.

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Thu August 01, 2024 07:30 AM
From: Sascha W
Subject: JWKS endpoint shows all cert in kdb

Hi,

i usually put all my oauth certificates in one kdb.

I have multiple OAUTH definitions (almost 100) and multiple JWKS urls (each with the oauth definition name in it) but the endpoint shows ALL the certificates in the KDB.

Apart from not needing to cross-share the certs with different partner i have a serious issue: some java library fail to manage the jwks content since its too big, and some partners complain about having to manage all the unneeded certificates when they only need one.

Is there a way to let the jwks endpoint from OAUTH definition "Pluto" to show only the "Pluto" cert?

The only workaround i found is to have a different kdb for each oauth definition but i don't want to end up with 100+ kdbs.

Thank you

S.