Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for JWE token to OpenIdConnectProtocolValidator #841

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
4 participants
@van-vothanh
Copy link

commented Nov 28, 2017

use the alg value from the header of the decrypted jwt for c_hash and at_hash validations

@msftclas

This comment has been minimized.

Copy link

commented Nov 28, 2017

CLA assistant check
All CLA requirements met.

@brentschmaltz

This comment has been minimized.

Copy link
Member

commented Dec 7, 2018

@van-vothanh I am closing this now as we shouldn't be accepting JWE in the protocol verifier.

We need a model for web server runtimes to handle JWE and pass clear text.

@scottbrady91

This comment has been minimized.

Copy link

commented Feb 16, 2019

We shouldn't be accepting JWE in the protocol verifier

@brentschmaltz So, if I receive an identity token as a JWE (compact serialization), you're expecting OpenIdConnectProtocolValidator to receive the inner token?

@brentschmaltz

This comment has been minimized.

Copy link
Member

commented Feb 19, 2019

@scottbrady91 I think that makes sense, as the JWE is just a wrapper of a JWS. The JWS has the payload that needs validation. It's also the alg of the JWS that defines the hash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.