[proposal] Filter `VerificationMethod` by `kid` if one is present in the header
See original GitHub issueThe default behavior for JWT/JWS verification is to extract an array of possible signers from the DID document of the iss
and then verify each signer to check for a signature match.
This can be improved by also looking for a kid
property in the header and only using that one for verification.
For this to work, kid
(if present) must be a DID URL with a #fragment, that dereferences to a VerificationMethod from the DID document of the iss
.
- if
kid
is present,kid
andiss
DID must match - if
kid
is present, apply the filter as early as possible, to avoid expensive cryptographic operations.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:6 (3 by maintainers)
Top Results From Across the Web
JWS that are not JWT Proposal · Issue #2 - GitHub
One option is that it simply says that it references the publicKeyJwk that has the given kid , while ignoring any verification methods...
Read more >only allow children of a specific type in a react component
You can filter/modify components like this: this.modifiedChildren = React.Children.map(children, child => { if (React.
Read more >Securing your app with signed headers | Identity-Aware Proxy
Verifying the JWT header ... Make sure that the JWT was signed by the private key that corresponds to the token's kid claim....
Read more >Filter Data from Your Views - Tableau Help
Filtering is an essential part of analyzing data. This article describes the many ways you can filter data from your view. It also...
Read more >Navigate Test Plans - Azure DevOps - Microsoft Learn
Test plan header : Locate, favorite, edit, copy or clone a test plan. ... Show the filter controls to help you find plans...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Bad stalebot!
it’s worth constraining
kid
to be a DID URL, not a DID… this would mean it is distinguishable fromdidDocument.id
andverificationMethod.controller
, both of which would align withiss
.