Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16851

Documentation to say we don't support JWTs containing jku claim

    XMLWordPrintable

    Details

    • Rank:
      1|i02aav:
    • No
    • No
    • No
    • No (add reasons in the comment)

      Description

      From what I can find, we only briefly mention not supporting jku in a specific context in the AM OAuth2 docs:

      The jwe and jku formats are not supported, the public key must be represented in jwk format.

      As of https://bugster.forgerock.org/jira/browse/CREST-273, FR products using these commons versions and above are able to receive JWTs containing the jku (but we don't actually use it, it just stops breaking OIDC flows). Before this fix, OAuth2/OIDC flows using JWTs containing jku claims completely fail.

      Can we make sure there are clear notices in all product docs before the change (to not use them at all) and after the change, that we will parse it but not use it. In AM for example, we should at least mention this in Authentication, OAuth2, OIDC docs.

        Attachments

          Activity

            People

            cristina.herraz Cristina Herraz [X] (Inactive)
            aaron.haskins Aaron Haskins
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: