Replies: 2 comments 3 replies
-
|
As a quick fix, you may configure the key as PEM. Does your token have any other indication of the used key, e.g. an I'm not sure about all implications, but at first sight, it feels wrong to try any key for validation. But it could be an option to try any key of a defined issuer. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, I know that workaround but I need a sustainable solution. |
Beta Was this translation helpful? Give feedback.
-
|
Would it be possible to use that fingerprint to identify the public key directly or in the JWKS? |
Beta Was this translation helpful? Give feedback.
-
|
yes. We would have to extend the sda-commons implementation to configure the key identifier. |
Beta Was this translation helpful? Give feedback.
-
|
Solved in #2546 |
Beta Was this translation helpful? Give feedback.
-
Hi sda-commons developers,
I am currently faced with the following situation.
The issued key has no kid header (but only x5t) defined, but the kid is included in the JKWS, provided by the identity provider.
Due to this line:
sda-dropwizard-commons/sda-commons-server-auth/src/main/java/org/sdase/commons/server/auth/service/AuthService.java
Line 42 in 290f65a
I cannot validate the token. Is it mandatory that if the token has no kid, then the key must also have no key id or is it ok to be more flexible here, e.g. check against all known keys is keyid is not given?
Thanks
Beta Was this translation helpful? Give feedback.
All reactions