Open kevinchalet opened 9 years ago
@blowdart are you familiar with this at all?
Talked to @blowdart and we're not too eager to support another draft spec right now.
JWK is now an official standard (RFC 7517: http://tools.ietf.org/html/rfc7517), but since OIDC specs have been released before JWK, they explicitly target an older draft. Waiting won't change anything :smile:
More info at http://openid.net/specs/openid-connect-core-1_0.html#PreFinalIETFSpecs
BTW, JWK is already implemented by IdentityModel, since it's required to retrieve the provider metadata of an OIDC server :+1:
Is it really JWE we're talking about here or JWK/JWKS? We believe that JWK/JWKS are already supported, but that JWE would require more work.
Actually, we're talking about both ones :smile:
JWK/JWKS is already implemented in Wilson, but is only used by the OIDC middleware to retrieve the certificates/keys exposed by the identity provider. I'm actually suggesting the opposite: adding a JWKS endpoint to the OIDC middleware and the bearer middleware to expose a certificate/public key registered by the user and used by the identity server to encrypt the tokens.
Of course, it won't be useful until JWE is implemented in Wilson, but as it's a big feature, that would be great if we had at least a design before RTM.
We are trying to get JWE on the schedule, no timeline yet.
@PinpointTownes we are closing in on JWE, see the branch: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/tree/JWE If a host exposes JWK/JWKS endpoint is there a protocol for the initiator to find the right PublicKey and algorithm to use?
@brentschmaltz yep, dynreg: https://tools.ietf.org/html/rfc7591#section-2
@brentschmaltz - some time has elapsed since we looked at this. Any further thoughts on this?
@Eilon @PinpointTownes help me understand how this would fit in.
@brentschmaltz do you have a recent example of how to get the keys to set on the options?
@PinpointTownes @Eilon Are we speaking about inbound and outbound? Inbound, TokenValidationParameters has three ways to find keys for decryption:
set keys directly: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L353
@brentschmaltz any examples for wiring those up with AAD or any other server? Also, how does the acquisition work?
@Tratcher AAD doesn't have JWE's yet so nothing for AAD. I'll leave this issue open until we have a public sample.
About acquisition for outbound, i believe that would be related to what @PinpointTownes has pointed out, we need to obtain a public key from metadata.
Wilson doesn't support JWE yet, but at this moment, we'll probably want to offer a JWKS endpoint directly in the OIDC middleware (to allow the identity provider to retrieve the public key(s) used to encrypt the identity tokens) and in the JWT bearer middleware (for the access tokens)
Related specs:
Related tickets: