You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thank you for your tool, it's amazing and code is very nice.
I developed a plain shell script that implements OAuth authorization for websites that are running on a small devices like router with OpenWRT.
Some OAuth OIDC providers like Google supports auth by id_token that is a JWS. And I need to verify it's signature with Google's JWKS fetched from https://www.googleapis.com/oauth2/v3/certs.
Currently this implemented by using openssl dgst -sha256 -verify command. The problem is that it needs for a public key in an old PEM format. Likely Google provides them at https://www.googleapis.com/oauth2/v1/certs
Now I would like to make it to verify with any JWKS. And likely found your tool.
I got the FB JWKS from https://www.facebook.com/.well-known/oauth/openid/jwks/. The JWKS file has two public keys.
Then I executed jose signature verification for the id_token received from FB:
jose jws ver -i id_token.txt -k fb.jwks.json
It works, great.
But the problem is that keys in JWKS are rotated and changed after some time.
So I just changed the kid in the JWKS and now it's not the same as was used to issue the id_token. The verification was again successful.
So it looks like jose verified the id_token signature against both public keys and it now even care about the kid field in the id_token.
This still looks secure but maybe for a better performance jose can verify signature only against one public key from the JWKS.
Another problem is that if the JWKS file is outdated then signature verification will be failed because the id_token was signed with a newer public key.
So it would be great if jose can return a different exit code if the kid of id_token wasn't found in the JWKS.
Then my script can see that it needs to download an updated JWKS and re-run the verification.
Also from what I see the id_token expiration exp is not checked and outdated tokens are still verified. This is looks like something that is not related to the jose sig verification itself but anyway users may miss to do this.
The text was updated successfully, but these errors were encountered:
Thank you for your tool, it's amazing and code is very nice.
I developed a plain shell script that implements OAuth authorization for websites that are running on a small devices like router with OpenWRT.
Some OAuth OIDC providers like Google supports auth by
id_tokenthat is a JWS. And I need to verify it's signature with Google's JWKS fetched from https://www.googleapis.com/oauth2/v3/certs.Currently this implemented by using
openssl dgst -sha256 -verifycommand. The problem is that it needs for a public key in an old PEM format. Likely Google provides them at https://www.googleapis.com/oauth2/v1/certsNow I would like to make it to verify with any JWKS. And likely found your tool.
I got the FB JWKS from https://www.facebook.com/.well-known/oauth/openid/jwks/. The JWKS file has two public keys.
Then I executed jose signature verification for the id_token received from FB:
It works, great.
But the problem is that keys in JWKS are rotated and changed after some time.
So I just changed the
kidin the JWKS and now it's not the same as was used to issue the id_token. The verification was again successful.So it looks like jose verified the id_token signature against both public keys and it now even care about the
kidfield in the id_token.This still looks secure but maybe for a better performance jose can verify signature only against one public key from the JWKS.
Another problem is that if the JWKS file is outdated then signature verification will be failed because the id_token was signed with a newer public key.
So it would be great if jose can return a different exit code if the
kidof id_token wasn't found in the JWKS.Then my script can see that it needs to download an updated JWKS and re-run the verification.
Also from what I see the id_token expiration
expis not checked and outdated tokens are still verified. This is looks like something that is not related to the jose sig verification itself but anyway users may miss to do this.The text was updated successfully, but these errors were encountered: