Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10425

The KID of the encrypted JWT ID token is not correct

    Details

    • Sprint:
      AM Sustaining Sprint 33, AM Sustaining Sprint 34
    • Story Points:
      1
    • Support Ticket IDs:

      Description

      Description

      When encrypting the id token, the kid returned comes from the OpenAM keystore JWKS and not the client JWKS

      Note: The client offers a JWKS and OpenAM too. There are designed for different purpose.

      The JWKS from the client is designed to be used for checking JWT signed by the client and encrypt JWT for the client.
      In the contrary, the JWKS from AM is designed for signing JWT to the client and encrypting JWT for AM.

      So when we sign and encrypt the id token, we should:

      • Sign using one of the JWK from the AM JWKS
      • Encrypt using of the JWK from the client JWKS

      How to reproduce

      Generate an id token with encryption enable

      Expected

      The KID should be one of the key of the client JWKS

      Actual

      The KID of the AM JWKS
      Which the client doesn't have the private key btw, so it can't decrypt the token

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: