Skip to content

JWKS: Remove publicKeys in favor of RFC7515. #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mickenordin wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

JWKS: Remove publicKeys in favor of RFC7515. #319

mickenordin wants to merge 3 commits into from
+85 −171

Conversation

@mickenordin
Copy link
Member

@mickenordin mickenordin commented Jan 12, 2026

Fixes: #313

glpatcern
glpatcern reviewed Jan 12, 2026
View reviewed changes
Copy link
Member

@glpatcern glpatcern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is already good, do you think we could provide an example of how to use the jwks.json? Also, at this point I'm ok to keep the deprecated part, but I'd remove the now-fully-outdated example.

@mickenordin
Copy link
Member Author

mickenordin commented Jan 13, 2026

This is already good, do you think we could provide an example of how to use the jwks.json? Also, at this point I'm ok to keep the deprecated part, but I'd remove the now-fully-outdated example.

I removed the deprecated example now. Where would be a good place to put an example, and how would you like it to be? An example json with the various fields?

@glpatcern
Copy link
Member

glpatcern commented Jan 13, 2026

I removed the deprecated example now. Where would be a good place to put an example, and how would you like it to be? An example json with the various fields?

Good question: what about an Appendix as it was done with the previous example? Then yes I'd include an example JSON like the one in #313, and a code snippet from your own toy implementation (it's python IIRC right?) to 1) encode and add a signature at the sender and 2) validate it at the receiver.

@mickenordin
Copy link
Member Author

mickenordin commented Jan 16, 2026

I removed the deprecated example now. Where would be a good place to put an example, and how would you like it to be? An example json with the various fields?

Good question: what about an Appendix as it was done with the previous example? Then yes I'd include an example JSON like the one in #313, and a code snippet from your own toy implementation (it's python IIRC right?) to 1) encode and add a signature at the sender and 2) validate it at the receiver.

Good thing you mentioned appendices.. We hade appendix b with draft-cavage signature examples. I rewrote that, and I hope it is something what you wanted. A lot of python code didn't look good so a step by step algorithm turned out better I think.

@glpatcern
Copy link
Member

glpatcern commented Jan 16, 2026

Good thing you mentioned appendices.. We hade appendix b with draft-cavage signature examples. I rewrote that, and I hope it is something what you wanted. A lot of python code didn't look good so a step by step algorithm turned out better I think.

Ah yes, that appendix indeed was also obsoleted now, great that you rewrote it.

I think the text and the step by step part is good but the hackerprogrammer that is in me would still like to see some minimal code, let me give you an example.

@glpatcern glpatcern self-requested a review January 16, 2026 13:37
glpatcern
glpatcern reviewed Jan 16, 2026
View reviewed changes
Copy link
Member

@glpatcern glpatcern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So for the code snippets:

@mickenordin
Copy link
Member Author

mickenordin commented Jan 16, 2026
edited
Loading

So for the code snippets:

There is e.g https://pypi.org/project/http-message-signatures/ but I am not sure that adding snippets using this is really helpful.

This is their example:

from http_message_signatures import HTTPMessageSigner, HTTPMessageVerifier, HTTPSignatureKeyResolver, algorithms, http_sfv
import requests, base64, hashlib

class MyHTTPSignatureKeyResolver(HTTPSignatureKeyResolver):
    keys = {"my-key": b"top-secret-key"}

    def resolve_public_key(self, key_id: str):
        return self.keys[key_id]

    def resolve_private_key(self, key_id: str):
        return self.keys[key_id]

request = requests.Request('POST', 'https://example.com/foo?param=Value&Pet=dog', json={"hello": "world"})
request = request.prepare()
request.headers["Content-Digest"] = str(http_sfv.Dictionary({"sha-256": hashlib.sha256(request.body).digest()}))

signer = HTTPMessageSigner(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
signer.sign(request, key_id="my-key", covered_component_ids=("@method", "@authority", "@target-uri", "content-digest"))

verifier = HTTPMessageVerifier(signature_algorithm=algorithms.HMAC_SHA256, key_resolver=MyHTTPSignatureKeyResolver())
verifier.verify(request)

Easy enough to look up when implementing, but not really helping you understand what is going on IMO.

@glpatcern
Copy link
Member

glpatcern commented Jan 16, 2026

Easy enough to look up when implementing, but not really helping you understand what is going on IMO.

Well it's not too bad after all, but I take your point that it might be too much to include such code snippets in an Internet Draft. So let's give it try without and we can bring this to the WG anyway. Let me re-review for just a couple of fixes

@glpatcern glpatcern self-requested a review January 16, 2026 14:51
glpatcern
glpatcern reviewed Jan 16, 2026
View reviewed changes
Copy link
Member

@glpatcern glpatcern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minimal fixes - I think it's better to have abstract values (as in RFC7515 actually), especially without any actual code snippet

@mickenordin @glpatcern
Rewrite Appendix B with RFC9421 HTTP signature examples
ad09853 
- Fix http-sig capability to reference RFC7517 instead of RFC7515
- Add RFC7517 (JWK) and RFC8032 (EdDSA) to references
- Fix RFC7515 reference formatting
- Replace draft-cavage examples with RFC9421 signature format
- Add JWKS endpoint and Ed25519 signing/verification examples

Co-authored-by: Giuseppe Lo Presti <giuseppe.lopresti@cern.ch>
@mickenordin mickenordin requested a review from glpatcern January 16, 2026 17:06
@mickenordin
Copy link
Member Author

mickenordin commented Jan 16, 2026

Minimal fixes - I think it's better to have abstract values (as in RFC7515 actually), especially without any actual code snippet

Added in them now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MahdiBaghbani MahdiBaghbani Awaiting requested review from MahdiBaghbani

@glpatcern glpatcern Awaiting requested review from glpatcern

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Adopt JWS format for exposing public keys

3 participants

@mickenordin @glpatcern