Although Thinktecture.IdentityServer supports signing a jwt using a symmetric key, the OidcClient class does not support validating a token using one - it only supports validating tokens signed using a certificate. Is this deliberate and are there problems or any limitations with signing a jwt with the client secret? I am getting some push back with requiring client apps to have a certificate and if I can avoid it without compromising security I would like to do so.
Asked
Active
Viewed 125 times
0
-
Which OidcClient class are you talking about? Thinktecture or Microsoft? – leastprivilege Aug 25 '14 at 14:41
-
@leastprivilege I am referring to the Thinktecture OidcClient class. – Ashish Aug 26 '14 at 16:03
-
@leastprivilege - can you clarify which Microsoft client you are referring to? – Ashish Sep 05 '14 at 21:51
-
The one in Katana v3. – leastprivilege Sep 06 '14 at 21:07
1 Answers
0
IIRC OidcClient is quite old - we just did not implement it. And you apps don't need a certificate, they just need to be able to verify a signature using asymmetric crypto.
Using a symmetric key makes only sense for server-based apps since that key must be stored securely (otherwise anyone who reverse engineers the app can create valid identity tokens).
The other option is to send the id token back to idsrv to validation (for clients that don't have the required crypto libraries). This endpoint does not exist currently in beta 1 - but is on our todo list.
leastprivilege
- 18,196
- 1
- 34
- 50