Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6620

jwks_uri generates a kid value different for each server in a site configuration

    Details

    • Support Ticket IDs:

      Description

      jwks_uri generates a kid value different for each server in a site configuration. This can cause a validation error for an ID Token signature .

      Steps to Reproduce:

      1. Install and setup two OpenAM servers in a site configuration.
      2. Setup the OpenAM servers as OIDC OP -
      https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-openid-connect
      3. Get an ID token (including a "kid" value).
      4. Stop the server that returned the ID token.
      5. Access to the jwk_uri and look for the kid value.
      -> The value is not found.

      # curl http://openam01.example.co.jp:8080/openam/oauth2/connect/jwk_uri
      {"keys":[{"kty":"RSA","kid":"e0a585ba-5a4c-40ae-bdd3-e85b1cb64c9f","use":"sig","alg":"RS256","n":"AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_","e":"AQAB"}]}
      
      # curl http://openam02.example.co.jp:8080/openam/oauth2/connect/jwk_uri
      {"keys":[{"kty":"RSA","kid":"57311cff-4493-4a02-b4c1-4843f1fb4669","use":"sig","alg":"RS256","n":"AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_","e":"AQAB"}]}
      

        Attachments

          Activity

            People

            • Assignee:
              kohei kohei
              Reporter:
              kohei kohei
              QA Assignee:
              Filip Kubáň [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: