Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10475

Stateless JWT access token doesn't add the kid

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 14.0.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: oauth
    • Labels:
    • Sprint:
      AM Sustaining Sprint 34
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      Description

      When generating a stateless access token, AM generates a JWT and signs it. Problem is, AM doesn't indicate the JWK used for the signature by putting the kid in the access token JWT.
      Not having the kid prevent client application to check the signature without having manually access to the public key. They can't use the JWKS_URI to get the JWK used for the signature. Key rotation is also not possible.

      EDIT after discussion with engineering:

      The fact that we represent this access token as a JWT is our own choice and there is no standards that mention the client application actually needs to verify the signature. The important bit is that AM should be able to verify it, which is the case today.
      However, by choosing the JWT format for your stateless access token, it makes sense to provide the kid as well.

      How to reproduce

      Generate an access token in stateless mode

      eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwiYWxnIjoiSFMyNTYifQ.eyJzdWIiOiJnZW5lcmF0ZWQtdXNlcm5hbWUtMEpUbFJDM2c1UlBxb3llIiwiYXVkaXRUcmFja2luZ0lkIjoiMTg0OWNkMTAtYTY2ZC00ZTgwLTkwN2ItMmIzMmQ2MjdhMjA1IiwiaXNzIjoiaHR0cDovL29wZW5hbS5leGFtcGxlLmNvbToxNDA4MC9vcGVuYW0vb2F1dGgyL3JlYWxtcy9yb290L3JlYWxtcy9TdGF0ZWxlc3NPQXV0aFRva2VuLXBGMWpGcEJ4WnkxN05oaiIsInRva2VuTmFtZSI6ImFjY2Vzc190b2tlbiIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6IjVlNDU5ZjZlLTEzYWItNDcwMS1hYTlmLTQ4NWQxMjExODlhMCIsImF1ZCI6ImdlbmVyYXRlZC1pZC1GUlUwWVl6dWpMYTJMUDEiLCJuYmYiOjE0ODUzODQ0OTYsInNjb3BlIjpbInNjb3BlMSJdLCJhdXRoX3RpbWUiOjE0ODUzODQ0OTYsInJlYWxtIjoiL1N0YXRlbGVzc09BdXRoVG9rZW4tcEYxakZwQnhaeTE3TmhqIiwiY25mIjp7Imp3ayI6eyJrdHkiOiJFQyIsImQiOiItY01EbTBVZDFSZTc2UU4tQnVpS0JoMkQtaEU2eUsybDBuWEdCYzh2cjRVIiwiY3J2IjoiUC0yNTYiLCJraWQiOiJmMDg0YThjYS1kYzgzLTRkNGItOWVlNS0zNTE5MDU5NzQ0OWIiLCJ4IjoiOTBTSHhjOHhYeUJmVHFrUlQ2T2dDRTNiMjFzVjhyblZ3RnBFUGVFajJjOCIsInkiOiJCRDVjZ0huSUNrYk1ydlBhempGbDlUcHFDSDFWckM4T1dndUZlTnl4encwIn19LCJleHAiOjE0ODUzODgwOTYsImlhdCI6MTQ4NTM4NDQ5NiwiZXhwaXJlc19pbiI6MzYwMDAwMCwianRpIjoiM2ZiMzI2MGQtMjU4ZS00YWNhLWE0ZDUtMmE5ODVjOTBlNWIzIn0.WfjNXmFOhNpO7BQdfFvWhyXRVqdiHBUbOOavXh83frk
      

      Expected result

      Having the kid in the JWT header

      Actual result

      No kid

      Code investigation

      AM doesn't even try to get the kid for the key used.

      JwsAlgorithm signingAlgorithm = getSigningAlgorithm(request);
              CompressionAlgorithm compressionAlgorithm = getCompressionAlgorithm(request);
              SignedJwt jwt = jwtBuilder.jws(getTokenSigningHandler(request, signingAlgorithm))
                      .claims(claimsSetBuilder.build())
                      .headers()
                      .alg(signingAlgorithm)
                      .zip(compressionAlgorithm)
                      .done()
                      .asJwt();
      

        Attachments

          Activity

            People

            • Assignee:
              quentin.castel Quentin CASTEL [X] (Inactive)
              Reporter:
              quentin.castel Quentin CASTEL [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: