Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
release bug - OL 18.104.22.168 <mpJwt> configuration ignores the jwksUri attribute #3117
According to this document one can utilize the JWKS specification and fetch the signing public key(s) from a uri, instead of dealing with keys, stored in the keystore file:
<mpJwt id="myMpJwt" jwksUri="https://example.com/api/jwk" ... </mpJwt>
I don't think this is working in OL 22.214.171.124: If I configure this JWKS URI in my configuration, i see this failure in the logs:
There are no logs indicating any attempt to download the signing PK from the uri.
Try this at jwt.io:
You should decipher it into this:
It is issues by auth0.com and the JWK keys are here: https://rhown-dev.auth0.com/.well-known/jwks.json
To your other question: Auth0.Com has a valid SSL certificate. This should be verifiable out-of-the-box with any JDK distribution and default cacert file. Why do I need to import auth0.com cert file in OL own keystore file???
Also, if the jwksUri signing key fetch fails, should I not see something in the logs for that ? Currently I see nothing
Then maybe this is something to reconsider: auth0.com, okta.com, many others public auth providers, all have valid certificates for their JWKS urls that should be verifiable with the default JDK root certificates only, no need for extra work, OL should cascade down to JDK's default cacerts and not require new one.
The reason I am asking for this is because building a keystore file require access to openssl utility (not easily found in Windows) for certs conversion, and is painful in automated deployment environment.