Details
-
Task
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
fts-rest 3.10.0
-
Security Level: Public Data (This ticket is visible to anyone on the internet and will be indexed by search engines)
-
None
Description
Right now, the OIDC token validation flow is adapted for WLCG tokens.
The public key is retrieved using the kid hint from the JWT header.
According to the specification, however, the kid field is optional:
https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.4
Furthermore, the following sections describe methods of key selection:
https://www.rfc-editor.org/rfc/rfc7515.html#section-6
https://www.rfc-editor.org/rfc/rfc7515.html#appendix-D
For FTS, the following algorithm is proposed:
- Retrieve and cache all keys from the JWK endpoint
- Filter the keys against the optional kid header field
- Filter the keys against the optional alg header field
- For each key from the remaining set:
- If key successfully decodes the token, stop the process and return valid
- If not, continue to the next key
- Return invalid if no key decodes the token
Attachments
Issue Links
- is related to
-
FTS-1436 _validate_token_offline hardcodes 'rsa1' as JWK kid
-
- Closed
-
- mentioned on
