Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14525

HSM secret store should not use the key alias as stable ID

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.0, 7.0.0
    • Fix Version/s: 6.5.2, 7.0.0
    • Component/s: secrets
    • Labels:
    • Sprint:
      2019.4 - Coins
    • Needs backport:
      Yes

      Description

      Bug description

      As part of the OAuth2 secrets integration, care was taken to ensure that key store secret stores are using the same stable IDs (key IDs) as previously, so that JWTs remain compatible. Unfortunately it seems that the HSM secret store did not receive the same treatment, which should mean that when secrets are stored in HSM secret stores, they are reporting the key aliases as key IDs - potentially breaking backwards compatibility.

      How to reproduce the issue

      • Set up HSM secret store in realm
      • configure OIDC provider in realm
      • issue id_tokens that utilize secrets from the HSM secret store to sign the id_token
      Expected behaviour

      The key ID corresponding to the private key should be the same value as what one would see when using keystore secret stores.

      Current behaviour

      The key ID in the id_token JWT is the key alias.

        Attachments

          Activity

            People

            • Assignee:
              michael.carter Michael Carter
              Reporter:
              peter.major Peter Major [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: