Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support public key JWT #18

Open
TimothyBJacobs opened this issue May 7, 2020 · 0 comments
Open

Support public key JWT #18

TimothyBJacobs opened this issue May 7, 2020 · 0 comments
Projects
Dynamic Client Auth v1

Comments

@TimothyBJacobs
Copy link
Member

The dynamic client auth spec recommends JWTs be signed using public/private key auth.

When presented to the authorization server as part of a
client registration request, the software statement MUST be digitally
signed or MACed using JSON Web Signature (JWS) [RFC7515] and MUST
contain an "iss" (issuer) claim denoting the party attesting to the
claims in the software statement. It is RECOMMENDED that software
statements be digitally signed using the "RS256" signature algorithm

The spec does not describe how one should determine the public key to verify against. One possible way we could do this would be to inspect the iss header, and ping a .well-known address for a public key based of the iss URL. For instance, $iss/.well-known/wp-api.key. We would then need to verify that the iss, client_uri and redirect_uris are all in the same domain.

We could then show on the connection screen that this is an authorized $client_uri app ( or something to that effect ).
@TimothyBJacobs TimothyBJacobs mentioned this issue May 21, 2020
Closed
TimothyBJacobs added a commit that referenced this issue May 21, 2020
@TimothyBJacobs
First pass at a basic form of verified software statements.
ab1c964 
This checks the JWT for an "iss" header. If one is present,
we fetch a public key at that host ".well-known/wp-api/oauth2.pem",
and use that public key to verify the JWT.

If a client is verified we display a "verified" message on the connect screen.

This also adds a new "--sign" flag to the CLI command to generate a signed
software statement.

Fixes #18.
@TimothyBJacobs TimothyBJacobs mentioned this issue May 21, 2020
Open
@TimothyBJacobs TimothyBJacobs moved this from To do to In Progress in Dynamic Client Auth v1 May 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Dynamic Client Auth v1
  
In Progress
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TimothyBJacobs