Details

    • Support Ticket IDs:

      Description

      Bug description

      Our JOSE library has a bug in the definition of the keyuse:

      We defined it as an enum but in fact, it can be any kind of values.

      https://tools.ietf.org/html/rfc7517#section-4.2

       
      Other values MAY be used.
      This class needs to be refactored accordingly, otherwise it can't parse jwk_uri like:

      https://keystore.openbankingtest.org.uk/0015800001041RbAAI/9o1TzQWvOo6hE7ose6hUaR.jwks

       

      {
      "keys": [
      {
      "e": "AQAB",
      "kid": "DUZR2yqq8dndsA9aA3e53iqB4YU",
      "kty": "RSA",
      "n": "t-fbvMmbg5fk3cJuewvaUQM3cOnc9hRNUxm1dA7cbgzNdfbTwwIuPAJ9LWlhj2TBClifQfh72a9mNW38H-nfg7rCuKnTOk_3oogGS3Wh8AzAME2oPdl-ZRDawhmkb6CCiljvTFIpX0emsh_2d0AyR7YvcfUcMY4DY6Vts_V-c17aTSoxcWPLb6sZt-qsWQ_KSSfIoMvhs8uoJZIjTo51Xed3jugjDcn3EOsrBhhKqkqu4QvYBolnB8GdpS-ct-aFBEAQyNtXrzFramtW9hZlmrzrqnfm1r3z5VmI53RTJFdm9va3923tAHKMoanZk6q0rq48dWNj_TOB6aDhrQxJPw",
      "use": "tls",
      "x5c": [
      "MIIFODCCBCCgAwIBAgIEWcVs2DANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJHQjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxLjAsBgNVBAMTJU9wZW5CYW5raW5nIFByZS1Qcm9kdWN0aW9uIElzc3VpbmcgQ0EwHhcNMTkwMjA2MTAyNjU3WhcNMjAwMzA2MTA1NjU3WjBhMQswCQYDVQQGEwJHQjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxGzAZBgNVBAsTEjAwMTU4MDAwMDEwNDFSYkFBSTEfMB0GA1UEAxMWOW8xVHpRV3ZPbzZoRTdvc2U2aFVhUjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALfn27zJm4OX5N3CbnsL2lEDN3Dp3PYUTVMZtXQO3G4MzXX208MCLjwCfS1pYY9kwQpYn0H4e9mvZjVt/B/p34O6wrip0zpP96KIBkt1ofAMwDBNqD3ZfmUQ2sIZpG+ggopY70xSKV9HprIf9ndAMke2L3H1HDGOA2OlbbP1fnNe2k0qMXFjy2+rGbfqrFkPykknyKDL4bPLqCWSI06OdV3nd47oIw3J9xDrKwYYSqpKruEL2AaJZwfBnaUvnLfmhQRAEMjbV68xa2prVvYWZZq866p35ta98+VZiOd0UyRXZvb2t/dt7QByjKGp2ZOqtK6uPHVjY/0zgemg4a0MST8CAwEAAaOCAgQwggIAMA4GA1UdDwEB/wQEAwIHgDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgeAGA1UdIASB2DCB1TCB0gYLKwYBBAGodYEGAWQwgcIwKgYIKwYBBQUHAgEWHmh0dHA6Ly9vYi50cnVzdGlzLmNvbS9wb2xpY2llczCBkwYIKwYBBQUHAgIwgYYMgYNVc2Ugb2YgdGhpcyBDZXJ0aWZpY2F0ZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBPcGVuQmFua2luZyBSb290IENBIENlcnRpZmljYXRpb24gUG9saWNpZXMgYW5kIENlcnRpZmljYXRlIFByYWN0aWNlIFN0YXRlbWVudDBtBggrBgEFBQcBAQRhMF8wJgYIKwYBBQUHMAGGGmh0dHA6Ly9vYi50cnVzdGlzLmNvbS9vY3NwMDUGCCsGAQUFBzAChilodHRwOi8vb2IudHJ1c3Rpcy5jb20vb2JfcHBfaXNzdWluZ2NhLmNydDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vb2IudHJ1c3Rpcy5jb20vb2JfcHBfaXNzdWluZ2NhLmNybDAfBgNVHSMEGDAWgBRQc5HGIXLTd/T+ABIGgVx5eW4/UDAdBgNVHQ4EFgQU/AuO3q916UiSsSq3Sm24bQTmNkswDQYJKoZIhvcNAQELBQADggEBAGIsdTAPZ77KIO9TgT9HLq5fKI7xjpv3r6D9vKx47WsLQr6CROQrhi/UHN2AjeoKYSVNBC1d1n1Wnknnw/RrINXCspAG8nLiGoCFrOr69aX4Vz2vIMu4e+hPJ0nEvBqFeanGQfSQmKJRrMVe6sDJYG1yBn2o+4mBhB7A0bkgZCjWdKyvzj1ckKckem8y9ZE6BAPvmcJsdhKp5mMZHN19JKhV/i/FWb9uBTlW31r/rM3p9DUKy+mb+ZtFNWzN/LnOlPp0D2BwNy5rQ6GzMv24FhIgmPCrMkblMKLVaV6gOl42yd6fK5kw7x2dlvnWZg7YAfXjJGpqyKLNPqgYra1raoo="
      ],
      "x5t": "tO0J5T4hCu6yqUSZup8WXj03FM4=",
      "x5u": "https://keystore.openbankingtest.org.uk/0015800001041RbAAI/DUZR2yqq8dndsA9aA3e53iqB4YU.pem",
      "x5t#S256": "bpeUL3vDbV30QJHGsxvwq9ZhLWXOP7ooJSsA9WNviNU="
      },
      {
      "e": "AQAB",
      "kid": "GLfTlh_NZEpzjkm0_uLpsNQPuvk",
      "kty": "RSA",
      "n": "yAjX27dq70jRHr3VdfTwJYwWcIq6zEhsSR3855qLtyTvuwdPgvBUM3Kg4HV7DQ7TBrfcaya_On5KeW2fv0XGoDW8WDYbp2CfJw_N3vMU4dGt5emN5uMtRXBgR5mz_i_3-JMS57Rot5Gfp0Kjk3swXzacueapLkMktFRph5ZU7brJhWx5SXIt0X09nZ5csGRM37N5HtVx0j1B3YY1B91aXcAizMyPgv5MXdz45V9Bn22qSS9QBxOTtYqMwsOZHYrFPfUErUpgiSoUbIqNTSeJQFvQ99k4lZoPtxtAce3FU51_FlDRXvbkm90wyvhdsyAKPx3UYm-0D1Ks8wQKsvDzcw",
      "use": "sig",
      "x5c": [
      "MIIFLTCCBBWgAwIBAgIEWcVs2TANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJHQjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxLjAsBgNVBAMTJU9wZW5CYW5raW5nIFByZS1Qcm9kdWN0aW9uIElzc3VpbmcgQ0EwHhcNMTkwMjA2MTAyNzQyWhcNMjAwMzA2MTA1NzQyWjBhMQswCQYDVQQGEwJHQjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxGzAZBgNVBAsTEjAwMTU4MDAwMDEwNDFSYkFBSTEfMB0GA1UEAxMWOW8xVHpRV3ZPbzZoRTdvc2U2aFVhUjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgI19u3au9I0R691XX08CWMFnCKusxIbEkd/Oeai7ck77sHT4LwVDNyoOB1ew0O0wa33Gsmvzp+Snltn79FxqA1vFg2G6dgnycPzd7zFOHRreXpjebjLUVwYEeZs/4v9/iTEue0aLeRn6dCo5N7MF82nLnmqS5DJLRUaYeWVO26yYVseUlyLdF9PZ2eXLBkTN+zeR7VcdI9Qd2GNQfdWl3AIszMj4L+TF3c+OVfQZ9tqkkvUAcTk7WKjMLDmR2KxT31BK1KYIkqFGyKjU0niUBb0PfZOJWaD7cbQHHtxVOdfxZQ0V725JvdMMr4XbMgCj8d1GJvtA9SrPMECrLw83MCAwEAAaOCAfkwggH1MA4GA1UdDwEB/wQEAwIGwDAVBgNVHSUEDjAMBgorBgEEAYI3CgMMMIHgBgNVHSAEgdgwgdUwgdIGCysGAQQBqHWBBgFkMIHCMCoGCCsGAQUFBwIBFh5odHRwOi8vb2IudHJ1c3Rpcy5jb20vcG9saWNpZXMwgZMGCCsGAQUFBwICMIGGDIGDVXNlIG9mIHRoaXMgQ2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNjZXB0YW5jZSBvZiB0aGUgT3BlbkJhbmtpbmcgUm9vdCBDQSBDZXJ0aWZpY2F0aW9uIFBvbGljaWVzIGFuZCBDZXJ0aWZpY2F0ZSBQcmFjdGljZSBTdGF0ZW1lbnQwbQYIKwYBBQUHAQEEYTBfMCYGCCsGAQUFBzABhhpodHRwOi8vb2IudHJ1c3Rpcy5jb20vb2NzcDA1BggrBgEFBQcwAoYpaHR0cDovL29iLnRydXN0aXMuY29tL29iX3BwX2lzc3VpbmdjYS5jcnQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL29iLnRydXN0aXMuY29tL29iX3BwX2lzc3VpbmdjYS5jcmwwHwYDVR0jBBgwFoAUUHORxiFy03f0/gASBoFceXluP1AwHQYDVR0OBBYEFDV4ZonNsj5g8HYSPdftU+18+0RxMA0GCSqGSIb3DQEBCwUAA4IBAQCAUYWIyJ9V6i3T6Z+MKvhUEX+4MgUIuM6tsKi6sQmcA00vtgwgVIc5E8oi/Jm/jPcBdsq6cwqRNpJkFmzk9+P62Q9xYo6g1Kv8Ep+zP0KkvocRPCUpljDjRMXxphbnjn8Ll+HSqEUZUD3vbeYqh37//7YWPhtQ7VUkzW4cbw1eSh5qOqxnp6yWNdM86IJWInHDHzXuGrFvdRkxZlWWCrdwB0QQqP4ztZuXt8TFtBAHJG3az2Xguc7+mY0o2f+xGr0XDV5fNuqucrUPkuDaLjJDdp4MS+Zgle7HXocC8BYnLIfW+W4eDuAUwXXaDuxhGRjO/4jqYuUyQosx7pCbJR5B"
      ],
      "x5t": "q6SvxHZ0s8SixkzbqvL1wwtlpLk=",
      "x5u": "https://keystore.openbankingtest.org.uk/0015800001041RbAAI/GLfTlh_NZEpzjkm0_uLpsNQPuvk.pem",
      "x5t#S256": "gnYOhLbrPMCrdA0LsB505NCixWOYri2zHZuBgBjfsd4="
      },
      {
      "e": "AQAB",
      "kid": "aBvAN0K3_iyoJzXmY0CkLS_7tgM",
      "kty": "RSA",
      "n": "9ENYSAjKer_sGf9Zhh_rfUe4Oqmj5gXpVsG00iwCs0zuvFjG5ezkib1rF4J6hA8aTCTN1YiG657XWWXCrzHYeiI5lkS34kMEEK3G2bpFOWlC0couyU_OGLEoiga10dFSPyPD5qdeLi69qeUMvKc2oZ4jm5TzAu2ZTW3252q99-VM4deWZLzV0fRWeZsEDluTY_s0y-chN0IbpOp6zFJ2iu0lMkCCtTUd2p0PB0engf11wITBBdgSlaGofwCappVmrm3wLsFbtfy8NfwYysWo20YSusmIijM6XO0AilKh-iMwkpheOUwCmKAX8I-P1rV-K6aPn30D_oA0z9Kv6TDhjw",
      "use": "tls",
      "x5c": [
      "MIIJ6zCCCNOgAwIBAgINPs68rPhniLTa66siCjANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0ZC4xFDASBgNVBAsMC2UtU3ppZ25vIENBMRowGAYDVQQDDBFlLVN6aWdubyBUZXN0IENBMzAeFw0xODA4MTUxNDQzMTZaFw0xODExMTMxNDQzMTZaMIHjMRMwEQYLKwYBBAGCNzwCAQMMAlVLMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEOMAwGA1UEBRMFNDU1NTExCzAJBgNVBAYTAlVLMQ8wDQYDVQQHDAZMb25kb24xJjAkBgNVBAoMHU5hdGlvbmFsIFdlc3RtaW5zdGVyIEJhbmsgUGxjMRkwFwYDVQRhDBBQU0RVSy1GQ0EtMTIxODc4MRQwEgYDVQQLDAtPcGVuQmFua2luZzEMMAoGA1UECwwDREVTMRgwFgYDVQQDDA93d3cubmF0d2VzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0Q1hICMp6v+wZ/1mGH+t9R7g6qaPmBelWwbTSLAKzTO68WMbl7OSJvWsXgnqEDxpMJM3ViIbrntdZZcKvMdh6IjmWRLfiQwQQrcbZukU5aULRyi7JT84YsSiKBrXR0VI/I8Pmp14uLr2p5Qy8pzahniOblPMC7ZlNbfbnar335Uzh15ZkvNXR9FZ5mwQOW5Nj+zTL5yE3Qhuk6nrMUnaK7SUyQIK1NR3anQ8HR6eB/XXAhMEF2BKVoah/AJqmlWaubfAuwVu1/Lw1/BjKxajbRhK6yYiKMzpc7QCKUqH6IzCSmF45TAKYoBfwj4/WtX4rpo+ffQP+gDTP0q/pMOGPAgMBAAGjggYUMIIGEDAOBgNVHQ8BAf8EBAMCBaAwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCqHngEP4BkgivlTLXBysLjLuRQ5nMwKki8JpcLmywIHQAAAWU+CrCBAAAEAwBIMEYCIQC+mIHdRY4U52+sPYHwODOd450fEd1RbLQVJvdck/VIhAIhAI8KMwHHjef45NR0lcJzV+hLp18sxitVf2RbFIPgAvLwAHYABVAhwruDpogYp0GO9LHwYCJ4asUHXakHkg6btr0tx04AAAFlPgqsUQAABAMARzBFAiEAo9Q7p+aqtYxqRDtPjKUZd8Id7Drm1GMBgo05boiDmVMCICLBhJZBzYxWBPmnhHsSOq8+BhfRwK0k3XJhweTcZY7wMBMGA1UdJQQMMAoGCCsGAQUFBwMBMIIC8AYDVR0gBIIC5zCCAuMwggLfBgwrBgEEAYGoGAIBAWQwggLNMCYGCCsGAQUFBwIBFhpodHRwOi8vY3AuZS1zemlnbm8uaHUvcWNwczCBpQYIKwYBBQUHAgIwgZgMgZVUZXN0IHF1YWxpZmllZCBjZXJ0aWZpY2F0ZSBmb3Igd2Vic2l0ZSBhdXRoZW50aWNhdGlvbi4gVGhlIHByb3ZpZGVyIHByZXNlcnZlcyByZWdpc3RyYXRpb24gZGF0YSBmb3IgMTAgeWVhcnMgYWZ0ZXIgdGhlIGV4cGlyYXRpb24gb2YgdGhlIGNlcnRpZmljYXRlLjCBlQYIKwYBBQUHAgIwgYgMgYVURVNUIGNlcnRpZmljYXRlIGlzc3VlZCBvbmx5IGZvciB0ZXN0aW5nIHB1cnBvc2VzLiBUaGUgaXNzdWVyIGlzIG5vdCBsaWFibGUgZm9yIGFueSBkYW1hZ2VzIGFyaXNpbmcgZnJvbSB0aGUgdXNlIG9mIHRoaXMgY2VydGlmaWNhdGUhMIGyBggrBgEFBQcCAjCBpQyBolRlc3p0IG1pbsWRc8OtdGV0dCB3ZWJvbGRhbC1oaXRlbGVzw610xZEgdGFuw7pzw610dsOhbnkuIEEgcmVnaXN6dHLDoWNpw7NzIGFkYXRva2F0IGEgc3pvbGfDoWx0YXTDsyBhIHRhbsO6c8OtdHbDoW55IGxlasOhcnTDoXTDs2wgc3rDoW3DrXRvdHQgMTAgw6l2aWcgxZFyemkgbWVnLjCBrQYIKwYBBQUHAgIwgaAMgZ1UZXN6dGVsw6lzaSBjw6lscmEga2lhZG90dCBURVNaVCB0YW7DunPDrXR2w6FueS4gQSBoYXN6bsOhbGF0w6F2YWwga2FwY3NvbGF0b3NhbiBmZWxtZXLDvGzFkSBrw6Fyb2vDqXJ0IGEgU3pvbGfDoWx0YXTDsyBzZW1taWx5ZW4gZmVsZWzFkXNzw6lnZXQgbmVtIHbDoWxsYWwhMB0GA1UdDgQWBBT8tVeOG7j8MG99u/ucFURYUPKh4TAfBgNVHSMEGDAWgBTc5gIo7zcwj4k+oK0gVfPvNujwzTAaBgNVHREEEzARgg93d3cubmF0d2VzdC5jb20wMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL3Rlc3p0LmUtc3ppZ25vLmh1L1RDQTMuY3JsMG8GCCsGAQUFBwEBBGMwYTAwBggrBgEFBQcwAYYkaHR0cDovL3Rlc3p0LmUtc3ppZ25vLmh1L3Rlc3RjYTNvY3NwMC0GCCsGAQUFBzAChiFodHRwOi8vdGVzenQuZS1zemlnbm8uaHUvVENBMy5jcnQwgeoGCCsGAQUFBwEDBIHdMIHaMAgGBgQAjkYBATALBgYEAI5GAQMCAQowUwYGBACORgEFMEkwJBYeaHR0cHM6Ly9jcC5lLXN6aWduby5odS9xY3BzX2VuEwJFTjAhFhtodHRwczovL2NwLmUtc3ppZ25vLmh1L3FjcHMTAkhVMBMGBgQAjkYBBjAJBgcEAI5GAQYDMFcGBgQAgZgnAjBNMCYwEQYHBACBmCcBAgwGUFNQX1BJMBEGBwQAgZgnAQMMBlBTUF9BSQwbRmluYW5jaWFsIENvbmR1Y3QgQXV0aG9yaXR5DAZVSy1GQ0EwDQYJKoZIhvcNAQELBQADggEBAFQ+Cs5owTyWtY68PAD5eqX+BpoySeKzs5tXsxr64zTjMXakbixU97nwxnAXLt/sScBgE4EZDpwWk85qxeCQDhgkXOcCdPsabTRPb22vaJpM6tClXiG89dgStSwxVSzpoq53VTUY5wa9nTkoUsmy5YMTASyzFCeK4JL4LPQ3Fvqvfyh4VsdbgVKslaWNgWvTfFvr8rBNNYZZCY/NNPwrPU/MjI2TVwAaj2MHVtYFMuhdYvUMNLCsHlfECNjf3tBGccoylVguogB2uCse9MAU+xO3YW4mOTertht5uhTWPsL6fwGrFiRKiSvorR7FTGtc+y1L5snwnp7Y5ynny3Ygr54="
      ],
      "x5t": "aBvAN0K3_iyoJzXmY0CkLS_7tgM=",
      "x5u": "https://keystore.openbankingtest.org.uk/0015800001041RbAAI/aBvAN0K3_iyoJzXmY0CkLS_7tgM.pem",
      "x5t#S256": "eC70DS6FJZMx_MD_1niPMY8qEUAeU5m9gFnLdz7puyk="
      }
      ]
      }

       

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Register an OIDC client with this JWK_uri
      2. Try to do a client credential flow with client assertion
      Expected behaviour

      AM parse the jwk_uri, finds the signing key and issue an access token

      Current behaviour

      AM will failed reading the jwk_uri

      Work around

      None

      Business use-case

      This is a blocker for Open Banking as the Open Banking directory decided to use the use=tls for hosting their transport keys.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                phillcunnington Phill Cunnington
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: