Skip to content

Feature: Verify JWT by JWK discovered by well known OpenId Connect Discovery endpoint #126

Open
Open
Feature: Verify JWT by JWK discovered by well known OpenId Connect Discovery endpoint#126
@wassy92x

Description

@wassy92x
wassy92x
opened on Nov 14, 2022

We maintain an identity server (IdentityServerr4 for .NET) which provides an well known endpoint to discover all other endpoints.
Among other things there is an URL for the currently used JWKs (jwks_uri).

Example:

{
   "issuer":"http://id.company.com",
   "jwks_uri":"http://id.company.com/.well-known/openid-configuration/jwks",
   "authorization_endpoint":"http://id.company.com/connect/authorize",
   "token_endpoint":"http://id.company.com/connect/token",
   "userinfo_endpoint":"http://id.company.com/connect/userinfo",
   "end_session_endpoint":"http://id.company.com/connect/endsession",
   "check_session_iframe":"http://id.company.com/connect/checksession",
   "revocation_endpoint":"http://id.company.com/connect/revocation",
   "introspection_endpoint":"http://id.company.com/connect/introspect",
   "device_authorization_endpoint":"http://id.company.com/connect/deviceauthorization",
   "frontchannel_logout_supported":true,
   "frontchannel_logout_session_supported":true,
   "backchannel_logout_supported":true,
   "backchannel_logout_session_supported":true,
   "scopes_supported":[
      "openid",
      "profile",
      "tenant",
      "roles",
      "offline_access"
   ],
   "claims_supported":[
      "sub",
      "tenant_id",
      "email",
      "name",
      "family_name",
      "given_name",
      "preferred_username",
      "locale",
      "tenant_name",
      "role"
   ],
   "grant_types_supported":[
      "authorization_code",
      "client_credentials",
      "refresh_token",
      "implicit",
      "password",
      "urn:ietf:params:oauth:grant-type:device_code"
   ],
   "response_types_supported":[
      "code",
      "token",
      "id_token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ],
   "response_modes_supported":[
      "form_post",
      "query",
      "fragment"
   ],
   "token_endpoint_auth_methods_supported":[
      "client_secret_basic",
      "client_secret_post"
   ],
   "id_token_signing_alg_values_supported":[
      "RS256"
   ],
   "subject_types_supported":[
      "public"
   ],
   "code_challenge_methods_supported":[
      "plain",
      "S256"
   ],
   "request_parameter_supported":true
}

Example response of jwks_uri:

{
  "keys" : [ {
    "kty" : "RSA",
    "kid" : "1438289820780",
    "use" : "sig",
    "alg" : "RS256",
    "n" : "idWPro_QiAFOdMsJD163lcDIPogOwXogRo3Pct2MMyeE2GAGqV20Sc8QUbuLDfPl-7Hi9IfFOz--JY6QL5l92eV-GJXkTmidUEooZxIZSp3ghRxLCqlyHeF5LuuM5LPRFDeF4YWFQT_D2eNo_w95g6qYSeOwOwGIfaHa2RMPcQAiM6LX4ot-Z7Po9z0_3ztFa02m3xejEFr2rLRqhFl3FZJaNnwTUk6an6XYsunxMk3Ya3lRaKJReeXeFtfTpShgtPiAl7lIfLJH9h26h2OAlww531DpxHSm1gKXn6bjB0NTC55vJKft4wXoc_0xKZhnWmjQE8d9xE8e1Z3Ll1LYbw",
    "e" : "AQAB"
  }, {
    "kty" : "RSA",
    "kid" : "1438289856256",
    "use" : "sig",
    "alg" : "RS256",
    "n" : "zo5cKcbFECeiH8eGx2D-DsFSpjSKbTVlXD6uL5JAy9rYIv7eYEP6vrKeX-x1z70yEdvgk9xbf9alc8siDfAz3rLCknqlqL7XGVAQL0ZP63UceDmD60LHOzMrx4eR6p49B3rxFfjvX2SWSV3-1H6XNyLk_ALbG6bGCFGuWBQzPJB4LMKCrOFq-6jtRKOKWBXYgkYkaYs5dG-3e2ULbq-y2RdgxYh464y_-MuxDQfvUgP787XKfcXP_XjJZvyuOEANjVyJYZSOyhHUlSGJapQ8ztHdF-swsnf7YkePJ2eR9fynWV2ZoMaXOdidgZtGTa4R1Z4BgH2C0hKJiqRy9fB7Gw",
    "e" : "AQAB"
  } ]
}

It would be great if this proxy supports this well known endpoint to validate JWTs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions