[#OPENAM-4784] OpenID Connect support for RS256 in

advertisement
[OPENAM-4784] OpenID Connect support for RS256 in
id_token_signing_alg_values_supported Created: 24/Oct/14 Updated: 08/Dec/14
Resolved: 08/Dec/14
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Closed
OpenAM
OpenID Connect
11.0.2
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Bug
Major
Priority:
Nathalie Hoet
Jaco Jooste
Assignee:
Fixed
0
Votes:
12.0.0-MUST-FIX, AME, TESLA, release-notes
Not Specified
Sprint:
Sprint 68 - Team Tesla, Sprint 69 - Team Tesla, Sprint 70 - Team Tesla,
Sprint 71 - Team Tesla
4965
Cases:
12.0.0
Not Specified
Not Specified
Description
OpenID Connect must support RS256 in id_token_signing_alg_values_supported for OpenID
Connect Discovery; see : http://openid.net/specs/openid-connect-discovery-1_0.html
id_token_signing_alg_values_supported
REQUIRED. ... The algorithm RS256 MUST be included. ...
Currently, the .well-known/openid-configuration endpoint reports
"id_token_signing_alg_values_supported":["HS256","HS512","HS384"]
Comments
Comment by Jaco Jooste [ 13/Nov/14 ]
The algorithm to use is specified on the OAuth2 Client page in the "ID Token Signed Response
Algorithm" field. The Private key for signing is retrieved from the keystore for the alias
configured in "Alias of ID Token Signing Key" on the OAuth2 Provider page.
The upgrade step for this change will do the following:


Save all OAuth2 Provider configurations. They will not be upgraded with the RS256
value and will no longer inherit default values from the global settings.
Add the RS256 to the default settings in Configuration | Global | OAuth2 Provider | ID
Token Signed Response Algorithm.
Comment by raffed [ 14/Nov/14 ]
Will this fix show the key being used (as defined in the Alias of the ID Token Signing Key)
when you navigate to the /.well-known/openid-configuration and then reference the jwks_uri
end point as addressed in https://bugster.forgerock.org/jira/browse/OPENAM-4003
The fix for now shows the jwks_uri value but there is not a key at the /oauth2/connect/jwk_uri
end point.
Thank you
E.R.
Comment by Phill Cunnington [ 14/Nov/14 ]
This is a good point and the fix for has been updated to expose the public key for the private
key that was used to sign the id token. The public key is exposed as a JWK at the
/oauth2/connect/jwk_uri endpoint.
Comment by GErickson [ 03/Dec/14 ]
Verified as fixed in 21 Nov 2014 12.0.0 nightly trunk build #922, SVN r11466.
Automated regression test is oauth2.TestOpenIdREST.OAM636().
Comment by Chris Lee [ 08/Dec/14 ]
Reopening to add release-notes label.
Comment by Chris Lee [ 08/Dec/14 ]
Added release-notes label.
Generated at Tue Feb 09 21:37:37 GMT 2016 using JIRA 6.3.9#6339sha1:46fa26140bf81c66e10e6f784903d4bfb1a521ae.
Download