Uploaded image for project: 'FTS'
  1. FTS
  2. FTS-1674

Change the key retrieval algorithm in access token offline validation

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: fts-rest 3.10.0
    • Fix Version/s: fts-rest 3.10.0
    • Component/s: REST API
    • Security Level: Public Data (This ticket is visible to anyone on the internet and will be indexed by search engines)
    • Labels:
      None

      Description

      Right now, the OIDC token validation flow is adapted for WLCG tokens.
      The public key is retrieved using the kid hint from the JWT header.

      According to the specification, however, the kid field is optional:
      https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.4

      Furthermore, the following sections describe methods of key selection:
      https://www.rfc-editor.org/rfc/rfc7515.html#section-6
      https://www.rfc-editor.org/rfc/rfc7515.html#appendix-D

      For FTS, the following algorithm is proposed:

      1. Retrieve and cache all keys from the JWK endpoint
      2. Filter the keys against the optional kid header field
      3. Filter the keys against the optional alg header field
      4. For each key from the remaining set:
        1. If key successfully decodes the token, stop the process and return valid
        2. If not, continue to the next key
      5. Return invalid if no key decodes the token

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mipatras Mihai Patrascoiu
              Reporter:
              mipatras Mihai Patrascoiu
              Component Watchers:
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: