Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support EdDSA keys in JWT authentication policy #6713

Open
maxtropets opened this issue Dec 26, 2024 · 0 comments
Open

Support EdDSA keys in JWT authentication policy #6713

maxtropets opened this issue Dec 26, 2024 · 0 comments

Comments

@maxtropets
Copy link
Collaborator

maxtropets commented Dec 26, 2024
edited
Loading

Mentioned by @achamayou here: https://github.com/microsoft/CCF/pull/6680/files#r1873482195

However, I don't find anything in the JWT/JWT RFCs about EdDSA, according to the table, there's no corresponding alg to specify that.

   +--------------+-------------------------------+--------------------+
   | "alg" Param  | Digital Signature or MAC      | Implementation     |
   | Value        | Algorithm                     | Requirements       |
   +--------------+-------------------------------+--------------------+
   | HS256        | HMAC using SHA-256            | Required           |
   | HS384        | HMAC using SHA-384            | Optional           |
   | HS512        | HMAC using SHA-512            | Optional           |
   | RS256        | RSASSA-PKCS1-v1_5 using       | Recommended        |
   |              | SHA-256                       |                    |
   | RS384        | RSASSA-PKCS1-v1_5 using       | Optional           |
   |              | SHA-384                       |                    |
   | RS512        | RSASSA-PKCS1-v1_5 using       | Optional           |
   |              | SHA-512                       |                    |
   | ES256        | ECDSA using P-256 and SHA-256 | Recommended+       |
   | ES384        | ECDSA using P-384 and SHA-384 | Optional           |
   | ES512        | ECDSA using P-521 and SHA-512 | Optional           |
   | PS256        | RSASSA-PSS using SHA-256 and  | Optional           |
   |              | MGF1 with SHA-256             |                    |
   | PS384        | RSASSA-PSS using SHA-384 and  | Optional           |
   |              | MGF1 with SHA-384             |                    |
   | PS512        | RSASSA-PSS using SHA-512 and  | Optional           |
   |              | MGF1 with SHA-512             |                    |
   | none         | No digital signature or MAC   | Optional           |
   |              | performed                     |                    |
   +--------------+-------------------------------+--------------------+

There's also no support for EdDSA in PyJWT we use, so e2e testing is not easily extendable.

As a part of this ticket the use of alg may also be revisited

  • It's present in all JWKs mentioned in JWT: support both certs and raw public keys #6601 except Entra.
  • However, all .well-known/openid-configuration seem to have id_token_signing_alg_values_supported specified, which has not been ever standardised, AFAICT. It may be used as a default option for the keys.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@maxtropets