I want to implement an OpenID Connect server, I don't know how should I manage JWK for clients? just a single JWK to sing all JWT tokens or generate JWK per client?
I appreciate any tutorial link to help me.
Each client should have their own JWK. OpenID Connect Dynamic Client Registration 1.0 defines jwks and jwks_ur as client metadata.
Ok, I researched about it and what I got is this:
Google uses a single endpoint to get its JWK and verify signatures. no matter for what clients.
Auth0 uses a single private key per tenant, so it uses a single public/private key for all clients in that tenant.
Keycloak uses a single key per realm. so all clients in that realm use that single public key.
My Conclusion
If our OP is multi-tenant, public/private keys can be unique per tenant, otherwise uses a single public/private key pair for all clients. Please note we should have key rotation also.
Related
I have integrated wso2is-5.5.0 and weblogic12c(OWSM) with our product for OAuth2 implementation.
Imported wso2carbon certificate in weblogic12c(OWSM) key store for token decryption.
Facing same issue, can anyone please provide information about following question:
How wso2is-5.5.0 encrypt OAuth token? From which key? what is key location path?
I am not able to see correct kid values in our OAuth token generated form wso2is-5.5.0. Because key alias is wso2carbon and token has kid NTAxZmMxNDMyZDg3MTU1ZGM0MzEzODJhZWI4NDNlZDU1OGFkNjFiMQ.
Do I have to use custom certificate and key alias? Can you please provide document/link to follow steps?
Is there any way to use custom OAuth Client Key and OAuth Client Secret?
Answering your questions,
If you have enabled the JWT encryption, it is encrypted with the key you have configured in the service provider.
In the IS implementation thumbprint of the certificate is used for kid value.
To encrypt the JWT, you always have to upload the public cert to the service provider config. Otherwise you can't encrypt the JWT. So always you are using a custom certificate. Refer this doc to get more details on how to add cert to service provider config.
This is possible if you are adding the service provider from the admin service. Refer to this doc for more information.
Apart from the above questions, if you are signing the JWT, it is signed using the server private key (for super tenant. In case of tenant, tenant private key is used). Default keystore wso2carbon.jks is location in <IS_HOME>/repository/resources/security. You must change this keystore when you do the deployment in production. Refer this and this to change the keystore.
Hope all of your questions are answered.
If an authentication server supplies multiple JSON Web Keys (e.g. https://www.googleapis.com/oauth2/v3/certs) which should be used to verify an OpenID Connect id_token as part of the OPenID Connect Implicit Flow?
Should the id_token be verified with the first JSON Web Key, all of the JSON Web Keys, or is the id_token considered valid if it can be verified with any of these provided JSON Web Keys?
Thanks!
When there are multiple keys in play that the OpenID Connect provider could use to sign an id_token, the header of the id_token would typically contain a key identifier (in the kid element) of the key that is actually used. That corresponds to the kid element in the JWK published on the (jwks_uri) endpoint that you describe. So the id_token would only be valid if it can be verified using the key that is associated with the kid in the header.
I have an application for Windows in C# and i wanted to connect to Google calendar. In the tutorials and documentation example here they require some client secret which is to be generated when requesting client ID for a service account. But it's not. However I can see the public key fingerprints and I installed a certificate that was generated when I requested the client ID.
My guess is that their documentation is outdated. Can anyone give me a tutorial/reference or explain how this is should work now?
Thanks
Last time I used Google Calendar API you did not need a Client Secret for Oauth Service Account authorization. You just need Application ID, private key and the service account email address if I am right. I used it with java, but here is an example for .NET if it can help you.
https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth#service_account
According to RFC 6749 (OAuth 2.0), the token endpoint of OAuth 2.0 authorization server requires client authentication in the following cases.
The client type of the client application is confidential.
The client type of the client application is public but the client application has been issued client credentials (client_id + client_secret).
To put it the other way around, client authentication is not required (so client_secret is not needed) when the client type of the client application is public and the client application has not been issued client credentials.
By definition, a public client cannot keep its client credentials confidential. Therefore, in general, implementations of OAuth 2.0 authorization servers won't issue a client secret for public client applications. It sounds that Google's implementation behaves so, too.
Probably, the reason Google did not issue a client secret to your application was that the client configuration you choiced had made your client application a public client.
The public key fingerprint is a different matter. RFC 6749 (OAuth 2.0) does not mention anything about public keys. Instead, I guess it may be related to OpenID Connect Core 1.0, OpenID Connect Dynamic Client Registration 1.0 (especially token_endpoint_auth_method), or Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants. You have to read Google's document to know what the public key fingerprint is for.
I'm implementing an OAuth secured API, and I assign each client a consumer key and secret. I don't want to assign a separate API key for clients and me to have to keep track of. I'm thinking that authentication happens like this: they generate their payload and sign it with their key and secret, and transmit the key.
On the server, I store the client secret, keyed by their key. When I receive the payload, I use their key to look up the secret, then I decode the payload with that secret. So the secret is not transmitted, but the key is.
So my question is: is this a safe way to handle this situation, or am I missing something important here?
If you are talking about how a client authenticates to the authorization server, OAuth 2.0 requires that the endpoint is secured with TLS, so recommends just using Basic authentication.
I want to provide OAuth protocol to my own application using webservices for credentials.
How to get the secret key and consumer key to my application.
If it's your application, then you need to be able to generate the tokens on your server.