Eilon
commented
9 years ago @blowdart are you familiar with this at all?
Open kevinchalet opened 9 years ago
Eilon
commented
9 years ago @blowdart are you familiar with this at all?
Eilon
commented
9 years ago Talked to @blowdart and we're not too eager to support another draft spec right now.
kevinchalet
commented
9 years ago JWK is now an official standard (RFC 7517: http://tools.ietf.org/html/rfc7517), but since OIDC specs have been released before JWK, they explicitly target an older draft. Waiting won't change anything :smile:
More info at http://openid.net/specs/openid-connect-core-1_0.html#PreFinalIETFSpecs
kevinchalet
commented
9 years ago BTW, JWK is already implemented by IdentityModel, since it's required to retrieve the provider metadata of an OIDC server :+1:
Eilon
commented
9 years ago Is it really JWE we're talking about here or JWK/JWKS? We believe that JWK/JWKS are already supported, but that JWE would require more work.
kevinchalet
commented
9 years ago Actually, we're talking about both ones :smile:
JWK/JWKS is already implemented in Wilson, but is only used by the OIDC middleware to retrieve the certificates/keys exposed by the identity provider. I'm actually suggesting the opposite: adding a JWKS endpoint to the OIDC middleware and the bearer middleware to expose a certificate/public key registered by the user and used by the identity server to encrypt the tokens.
Of course, it won't be useful until JWE is implemented in Wilson, but as it's a big feature, that would be great if we had at least a design before RTM.
brentschmaltz
commented
8 years ago We are trying to get JWE on the schedule, no timeline yet.
brentschmaltz
commented
7 years ago @PinpointTownes we are closing in on JWE, see the branch: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/tree/JWE If a host exposes JWK/JWKS endpoint is there a protocol for the initiator to find the right PublicKey and algorithm to use?
kevinchalet
commented
7 years ago @brentschmaltz yep, dynreg: https://tools.ietf.org/html/rfc7591#section-2
Eilon
commented
6 years ago @brentschmaltz - some time has elapsed since we looked at this. Any further thoughts on this?
brentschmaltz
commented
6 years ago @Eilon @PinpointTownes help me understand how this would fit in.
Eilon
commented
6 years ago @brentschmaltz do you have a recent example of how to get the keys to set on the options?
brentschmaltz
commented
5 years ago @PinpointTownes @Eilon Are we speaking about inbound and outbound? Inbound, TokenValidationParameters has three ways to find keys for decryption:
set keys directly: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L353
Tratcher
commented
5 years ago @brentschmaltz any examples for wiring those up with AAD or any other server? Also, how does the acquisition work?
brentschmaltz
commented
5 years ago @Tratcher AAD doesn't have JWE's yet so nothing for AAD. I'll leave this issue open until we have a public sample.
About acquisition for outbound, i believe that would be related to what @PinpointTownes has pointed out, we need to obtain a public key from metadata.
Wilson doesn't support JWE yet, but at this moment, we'll probably want to offer a JWKS endpoint directly in the OIDC middleware (to allow the identity provider to retrieve the public key(s) used to encrypt the identity tokens) and in the JWT bearer middleware (for the access tokens)
Related specs:
Related tickets: