Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10423

ID token signature and encryption is always using X509 certificate

    Details

    • Sprint:
      AM Sustaining Sprint 33, AM Sustaining Sprint 34
    • Story Points:
      5
    • Support Ticket IDs:

      Description

      Description

      Depending of the public key location, the ID token is supposed to be sign with either X509 certificate, a public key from the JWK or JWKS_URI

      Today, we always read the X509 certificate and use it for signing and encrypting, even if the public key location is not X509

      How to reproduce

      • Create an OAuth2 client with
                                  client = OAuth2Client.builder()
                                          .realm(realm)
                                          .scopes("openid")
                                          .tokenEndpointAuthMethod(CLIENT_SECRET_POST)
                                          .idTokenSigingAlgorithm(JWSAlgorithm.RS256)
                                          .enabledIdTokenEncryption(true)
                                                .idTokenEncryptionAlgorithm(jwkForEncryption.getAlgorithm().getName())
                                          .idTokenEncryptionMethod(encryptionMethod.getName())
                                          .publicKeyLocation(OAuth2Client.PublicKeyLocation.JWKS)
                                          .jwk(jwkStore.jwksInJsonFormat().toJSONString())
                                          .create();
      
      • Create an access token using the flow of your choice, here I did password grant flow

      expected result

      ID token sign and encrypt with one of the keys in the jwks field

      Actual result

      Sign and encrypt with the X509 but here, I havent even defined one => ended in a bad 500.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: