Reputation: 2712
OpenID connect provider, supporting HMAC not RSA, how to conform without jwks_uri?
I'm implementing an OpenID connect provider and I can't see anything in the spec that mandates a particular signing algorithm. This means I should be able to just implement HMAC/HS256 and not bother with using certificates. Is that right?
If so, why is jwks_uri mandatory in the metadata?
Upvotes: 0
Views: 604
Answers (2)
Reputation: 54108
Discovery isn't required but if you do support it, the metadata document must include a jwks_uri and support RS256. IOW. you can support "none"-only without Discovery.
Upvotes: 1
Reputation: 2409
A valid question I think.
The core spec hints that there might be situations that you don't have to:
OPs MUST support signing ID Tokens with the RSA SHA-256 algorithm (an alg value of RS256), unless the OP only supports returning ID Tokens from the Token Endpoint (as is the case for the Authorization Code Flow) and only allows Clients to register specifying none as the requested ID Token signing algorithm.
But then the discovery document goes on to contradict that by not allowing to advertise just none as an id_token_signing_alg:
The algorithm RS256 MUST be included.
The latter, of course, does in turn justify having a required jwks_uri, but it feels odd.
Upvotes: 1
Related Questions
- JWKS URI missing in JWT based on Keycloak Client
- How to properly consume OpenID Connect jwks_uri metadata in C#?
- Key bytes can only be specified for HMAC signatures. Please specify a PublicKey or PrivateKey instance
- OpenIdConnect verify jwt from OpenId Provider
- How to return RSA key in jwks_uri endpoint for OpenID Connect Discovery
- JWK management in openID Connect provider server
- Should the OpenId hide the JWKS url?
- JHipster Authentication using OpenID-Connect
- Which of an OAuth 2.0 provider's JWKs should be used to verify an OpenID Connect `id_token`?
- OpenID Connect (JWS): Using client secret as HMACSHA-256 key for verifying ID Token