Making kid in id_token optional

[janekolszak]

Great library! Thank you so much for providing this!

Can you make kid in id_token optional?
(It's optional in the spec)

I use hydra for handling OIDC, and it doesn't always issue id_tokens with a key id.
oidc-client-js fails to validate those tokens

[brockallen]

Do you have a link for their metadata/jwks, or a sample that I can look at?

[janekolszak]

Here's a discussion regarding this "kid" issue in the hydra project: ory/hydra#222

Example id_token:

{
  "alg": "RS256",
  "typ": "JWT"
}
{
  "aud": "d7f2ee09-8d28-4be2-bb89-ce3a5e7c3217",
  "auth_time": 1471691398,
  "exp": 1471694997,
  "iat": 1471691398,
  "iss": "hydra.localhost",
  "nonce": "wqwdpdahrbeotxwzqaldhyow",
  "sub": "john.doe@me.com"
}

[aeneasr]

Hey, I'm the author of hydra. According to the OIDC spec, the kid is required when using asymmetric encryption and a JSON Web Key Set that has more than one key. This makes sense because it's painfully slow trying out all the keys to see if it's the right one when using RSA/EC.

Asymmetric signing however does not know a kid header at all and therefore should not be a required header key if you do not want to break spec. :)

Sources:

• http://openid.net/specs/openid-connect-core-1_0.html#Signing
• http://openid.net/specs/openid-connect-core-1_0.html#Encryption

[aeneasr]

An exemplary JWK set used for signing the ID token in Hydra looks like:

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "private",
      "n": "pf_v6pWI_3qV9gPsAdAlLdwz6mJ2lxSkywqN3LJP_AN40FdKRkfxXrwcPr6jVWhrxxm89loXeiDdgg5k7fhmOwYAKoCV_hkQ3osJzj4Zl5A0Ds7P7yGZaNO05IcVtzIipJxcUolk_7cO5LwNj1vfGNzdAUx0CIWtQAd3pPl96D7X9amYZgfTKRoC5cU1VO5_wq8QDfijXPYQStOGlunlTTCkS0pm5Q2kD-HJe53ZZo844HGqHsL2Nbo_n6qPCLP2x2Mp9dI0B5m8ReLdJCcyHEKajFR2DuBUukAHcwRqyzqM0UZ4U55iv28z7xJA-DfUZ-EsiqNBPWRMooEOCDk_kb0gzox3n7celEWoo3Yl0Pxkq7Mj0BOUFaUIHeLKHR-oMC-ZkyMLfAcrGnACfd0YCTxwsO-q6yKjci8QVIYJjRiWKDt0_SP1smjiBGQqPmUQMzoFHVm9PUf9Iu3UByzy8lv9QK-WhrFc1Wh9hlHqwLiry_SBkQTtbH5g53IE1fdbxpU7ZEdB9aXac_SC24Xjv0yBI7rUSbWp_KoSV0U_0pwLp63XigbN7jdgZ2yNYgvsbOlnFcV-FmTRrAqh4XmfbiGBW6uTus6exaD7mekD_CKBlKRxwgeulkzcnqpdfO42J5NSvtncJX36P78jZhbKAa9H-o2VtwdINBh-iJm7tJU",
      "e": "AQAB",
      "d": "nlkKT0fdq3cQXeFX3FLlZF3N2COc5Hl4yYaD1KbzzX6yXGsoGuq9wJTIjMHlpK87QG2453cBNirrogiBFtABFQSgW-rVKdJXWTJgZDCw0Pdp8UYu6_mtEWYCBI0nld1pVoUhPEp74cKJnoAUn1AP_POSjo6TkR2TKqT06JZmGIj6EQl6qrmEII0DfpMkUKRBk0DTm8A2dZLz76zfkk4DwiJIVtneVVkxy0SiohztKPwuUUub8EQiARZtYq2cS70AByr899VQdH-eLTw_nyEUmAigzIQ1KfOsXw59DKaGCN8NPQRv-7P2lo5JiCBtgVogcAdIKeeZcCqhP9LDw-x4SdA4K5vwtGWD0l-8_3jifQysMeTOd7FZba4FQInqz8vqtgC9NlJy1GdZ_0qms8GmMhJ29lvDUBU8qJWc9JTjM-ajTq4avHlBQvf1IBf7ifWWvzTA5ie3-IWQGnTTT297a2fr3hmNuOrjHvpeC56oAA_UQ8Q7QjEoGFoMmnhso9YVTE8O9sAFOydrvCu3jwMMNoCESkchiKsmtSOlo_qNkxWixRUrJ3a5sPLPs_aF7TqksIVFClambC5ptWafnkvgIb4Zw1-CddUbQNlONbaqwDtaTFnGxRiE5vlaZy6JpUsfAQ-dwjPN4s0t0Ja5LHsTK0aBWRl40EFypvasr9CHHfE",
      "p": "0feV2nzvc3HXYDd_cBmQNjPQACVU4dbF6yqVN24_n9wSRxIkhTNF-mSaK3fcYSETMpdwkYYXYiDaGjO-NJ_bOshAHzsds5OZl3npjclDlENVCbcSOOGKD9_a_Mk0xvKozMPXJh3EEF35n4zj7y9UQoT4BRjtk5_TVXMRrIJQ0FKtS2Is1HxznbqkT15jPp8noviLtGM6LVAY5Gwg__czERZAtR_hHUn62WrUFHZ2WMCDlB4QZczrfB_Vi0dOBbSdE_5HooZQrFzlF8aGal5Ly5D-pb7LoT-l9PwirSSi136kEkzeAPJO8jgAH10yWZLYIgKLFey82mR0YdVQjooEzw",
      "q": "ymSuTUIvXNEeLX_R_GAxDZGnAFJYAt9NsnuBsenWn_kvqpFDigEAZailbk1HT9y89_D3TXqPSDrsyd5dFFVdPaVUGLcJZ3L3nHNKwpwiuoVVhINU2fD5-UMzQAS6PkCEYc5YdqK7ScoPDDD3T-WbX74lbDXiRhmm2DjJcx-AzPmHNj6unZah3xS9cwmpSt_qcVsUTRapTa5kWApkdf2pmm4PpquFEMG4YZv7qHDtwuvJtkvjmZM_GhJyXcmUAwSGunwcXhKNZryiv8GFSBm-iEPxp_BXngB5ulSMqPHQOZaW63KI1Qwkod52tQtcZI2SkoKdmQjGkdfGB9tt4RHRWw"
    },
    {
      "kty": "RSA",
      "kid": "public",
      "n": "pf_v6pWI_3qV9gPsAdAlLdwz6mJ2lxSkywqN3LJP_AN40FdKRkfxXrwcPr6jVWhrxxm89loXeiDdgg5k7fhmOwYAKoCV_hkQ3osJzj4Zl5A0Ds7P7yGZaNO05IcVtzIipJxcUolk_7cO5LwNj1vfGNzdAUx0CIWtQAd3pPl96D7X9amYZgfTKRoC5cU1VO5_wq8QDfijXPYQStOGlunlTTCkS0pm5Q2kD-HJe53ZZo844HGqHsL2Nbo_n6qPCLP2x2Mp9dI0B5m8ReLdJCcyHEKajFR2DuBUukAHcwRqyzqM0UZ4U55iv28z7xJA-DfUZ-EsiqNBPWRMooEOCDk_kb0gzox3n7celEWoo3Yl0Pxkq7Mj0BOUFaUIHeLKHR-oMC-ZkyMLfAcrGnACfd0YCTxwsO-q6yKjci8QVIYJjRiWKDt0_SP1smjiBGQqPmUQMzoFHVm9PUf9Iu3UByzy8lv9QK-WhrFc1Wh9hlHqwLiry_SBkQTtbH5g53IE1fdbxpU7ZEdB9aXac_SC24Xjv0yBI7rUSbWp_KoSV0U_0pwLp63XigbN7jdgZ2yNYgvsbOlnFcV-FmTRrAqh4XmfbiGBW6uTus6exaD7mekD_CKBlKRxwgeulkzcnqpdfO42J5NSvtncJX36P78jZhbKAa9H-o2VtwdINBh-iJm7tJU",
      "e": "AQAB"
    }
  ]
}

[janekolszak]

So what do you say @brockallen ?

[brockallen]

Yes, I'm willing to look into. I've just been swamped with other work at the moment. I'll look into it when I get time.

[gonzalad]

Hello,

I got the same issue using CXF OIDC Authorization server.

If it can be of any help, here are the informations I mhave on my side.

Here's the id token returned by CXF :

{
  "alg": "RS256"
}
{
  "preferred_username": "alice",
  "sub": "QMPtSMyzJA_ZpSj-yHhTdQ",
  "iat": 1473624630,
  "exp": 1473628230,
  "iss": "accounts.talend.com",
  "given_name": "alice",
  "family_name": "alice",
  "email": "alice@gmail.com",
  "name": "alice alice",
  "aud": "s9xl5BDuJKhRzg",
  "azp": "s9xl5BDuJKhRzg",
  "at_hash": "lo7xcgH61z7oqKizA_NJzw",
  "nonce": "d8a2489f6927498c835766d4d93e7797"
}

And the jwk :

{
   "keys":[
      {
         "kty":"RSA",
         "alg":"RS256",
         "n":"AMSBK-IlFaDphtJa96Vjt5et9KMEw_dIzDe-OfZQjAUSkZ1FQoWDaIOkrnbXq_7jfz7dgOx0QS9AMrgh7sEMnd0NGm1tmQr12Zxb9CIkIVFKTBQseCnJGn4Qctt24GVROqlogXs8_Og2NeSa8XJhnUwJFPoVG1QDHswVANlE6jS9TOXZG6fN5TyRwZwrzRVrcbDfUxV-t-HOTBeI_hrFlrJLYfPohZsGIckZvO7AwT6BH9A32L04HfZLGHFwtIjFKTXueC2R8BJZl_HQ8ctwr50L4wytowcpiQT1viJU9gj01xMkRR9wJ-ybenpciQw22wNn2BQ48B3t749Xg8h6v1M",
         "e":"AQAB",
         "kid":"alice",
         "use":"sig"
      }
   ]
}

[brockallen]

Ok, thanks. I'm still swamped with IdentityServer4. Once we RTM then I'll be able to get back to this.

[brockallen]

PR merged. thanks

[janekolszak]

Awesome!