Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require that both RS256 and ES256 must be supported if the signature algorithm is not configured #333

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

sberyozkin
Copy link
Contributor

@sberyozkin sberyozkin commented Jun 20, 2024

This PR is meant to align a situation with a non configured signature algorithm is managed with how it is done for the unconfigured decryption algorithm.

If a decryption algorithm is not configured, both RSA-OAEP and RSA-OAEP-256 encryped tokens must be accepted.

Now, similarly, if a signature algorithm is not configured, both RS256 and ES256 signed tokens must be accepted.

The end goal is to let an MP JWT Bridge JwtAuthenticationMechanismDefinition offer a consistent List representation for both signature and encryption properties

CC @ayoho @jimmy1wu

@sberyozkin sberyozkin requested review from dblevins and starksm64 June 20, 2024 13:30
@sberyozkin sberyozkin added this to the MPJWT-2.2 milestone Jun 20, 2024
@sberyozkin
Copy link
Contributor Author

I'll support ii with TCK tests once it is agreed via approvals

@sberyozkin sberyozkin force-pushed the signature_algorithm_rs_rs256_es256 branch 2 times, most recently from 297e442 to edc4b7f Compare September 26, 2024 11:55
@sberyozkin sberyozkin force-pushed the signature_algorithm_rs_rs256_es256 branch from edc4b7f to 9b36a80 Compare September 26, 2024 12:43
@sberyozkin
Copy link
Contributor Author

There is a real lot of assertions in TCK tests expecting RS256 by default

@sberyozkin
Copy link
Contributor Author

sberyozkin commented Oct 6, 2024

That said, the spec does not require anywhere that the signature algorithm must be injected as a string and not as a set of strings, so I may as well tweak TCK tests to expect a List<String> injection for the signature alg configuration property.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants