Skip to content

Add kid header requirement for private_key_jwt#714

Open
melanconj wants to merge 2 commits intodevelopmentfrom
security/jwt-assertion-kid-header
Open

Add kid header requirement for private_key_jwt#714
melanconj wants to merge 2 commits intodevelopmentfrom
security/jwt-assertion-kid-header

Conversation

@melanconj
Copy link
Copy Markdown
Contributor

@melanconj melanconj commented Jan 28, 2026

As discussed in Profile V working group, OpenId Connect specification requires the presence of the kid header field in private_key_jwt assertions to allow for the Identity Provider to determine which key it shall use for the given clientid to validate the assertion against.

I'm adding a requirement when using private_key_jwt to add the configured KeyID to the kid header. This value is already known by the client and can be configured (out of band) on the identity server so it can match it.

Closes onvif/wg_profile_cloud#142

kieran242
kieran242 approved these changes Feb 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kieran242 kieran242 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmelancondev Approved

HansBusch
HansBusch requested changes Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@HansBusch HansBusch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two editioal remarks:

  • Just by putting it in the same paragraph as the previous sentence doesn't inherit the condition.
  • The term assertion is quite vague. Do you mean the client_assertion field?

Does ONVIF really need to defer from OpendID Connect as the
OpenID Connect Core Specification states in chapter 9 Client Authentication:
Clients that have registered a public key sign a JWT using that key. The chapter is very specifically talking about a single key.

If ONVIF wants to extend that design it should give some rationale why and when a kid is needed.

@HansBusch
Copy link
Copy Markdown
Member

HansBusch commented Feb 11, 2026

Did some more research and got to the conclusion that putting the kid in the assertion header is nicely documented in Section 4.1.4 of RFC 7515. Suggest to add RFC 7515 as reference and refer to that section in case the key of an authorization server configuration is updated.

Suggest to add a paragraph to 5.6.3 SetAuthorizationServerConfiguration:

When the KeyID of a configuration is changed the device should include the kid header field of the JWT assertion according to RFC 7515 section 4.1.4.

@melanconj
Copy link
Copy Markdown
Contributor Author

melanconj commented Feb 16, 2026

Clarification seems fine to me, always feels a bit weird that the Set*Configuration gives requirements about how to do something that's not related to the call itself, but it's still better than the previous location.

Only thing is that I kept the shall, otherwise we're not properly addressing the concerns raised in onvif/wg_profile_cloud#142 and we might as well not make any changes

@bsriramprasad
Copy link
Copy Markdown
Contributor

bsriramprasad commented Feb 25, 2026

@sujithhanwha label needs to change to 26.12

@ocampana-videotec ocampana-videotec added this to the 26.12 milestone Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HansBusch HansBusch HansBusch requested changes

@sujithhanwha sujithhanwha sujithhanwha approved these changes

@kieran242 kieran242 kieran242 approved these changes

@venki5685 venki5685 venki5685 approved these changes

@bsriramprasad bsriramprasad Awaiting requested review from bsriramprasad

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

26.12 WG_enh

Projects

None yet

Milestone

26.12

Development

Successfully merging this pull request may close these issues.

7 participants

@melanconj @HansBusch @bsriramprasad @sujithhanwha @kieran242 @venki5685 @ocampana-videotec