You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, an OpenPubkey token contains the original signature from the OIDC provider. This arguably means that it isn't safe to share the OpenPubkey token, as the token could be used to impersonate the subject to a service that doesn't check the audience claim, or to trick an OpenPubkey client to issue a token for the subject.
We can create a GQ signature to prove that we have the original OIDC provider's signature. This can be verified using the original OIDC signing payload (header || '.' || payload) and the OIDC provider's public key. This works because GQ signature private keys are equivalent to RSA signatures.
The GQ signature can be published in place of the OIDC provider's signature in an OpenPubkey token.
Currently, an OpenPubkey token contains the original signature from the OIDC provider. This arguably means that it isn't safe to share the OpenPubkey token, as the token could be used to impersonate the subject to a service that doesn't check the audience claim, or to trick an OpenPubkey client to issue a token for the subject.
We can create a GQ signature to prove that we have the original OIDC provider's signature. This can be verified using the original OIDC signing payload (
header || '.' || payload
) and the OIDC provider's public key. This works because GQ signature private keys are equivalent to RSA signatures.The GQ signature can be published in place of the OIDC provider's signature in an OpenPubkey token.
The text was updated successfully, but these errors were encountered: