Hello, 

I am configuring Apereo CAS 6.4.6.6 as an OpenId Connect server. Following 
the CAS documentation, I added the property to the server: 

cas.authn.oidc.jwks.file-system.jwks-file=file:/etc/cas/config/keystore.jwks 

Looking at the documentation on how to define a client in this protocol:

https://apereo.github.io/cas/7.2.x/authentication/OIDC-Authentication-Clients.html

This is very similar to CASE 6.4.6.6, it is written: 

jwks -> Optional. Resource path to the keystore location that holds the 
keys for this application.

Isn't this the keytore.jwks that should sign the Id Token when it is 
generated for this service? 

For example, I have:

{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "serviceId" : "https:localhost:8443/openid-connect-demo/.*",
  "clientId": "openid_connect",
  "clientSecret": "AAAAAAAAAA",
  "name" : "Cas Server",
  "id" : 10290,
  "evaluationOrder" : 290,
  "bypassApprovalPrompt": true,
  "generateRefreshToken" : true,
  "jsonFormat" : true,
  "supportedGrantTypes" : [ "java.util.HashSet", [ "authorization_code", 
"password", "client_credentials", "refresh_token" ] ],
  "supportedResponseTypes" : [ "java.util.HashSet", [ "code", "token" ] ],
   ....
  "jwks": "file:/etc/cas/config/localhost/oidc/keystore3.jwks"
} 

When I have the jwks property in this file, CAS automatically adds this new 
key to the path:

https://{SERVER_CAS_PATH}/cas/oidc/jwks

But when you have to sign the ID Token, always use the: 

cas.authn.oidc.jwks.file-system.jwks-file=file:/etc/cas/config/keystore.jwks

Shouldn't I use the signature defined in "jwks"? Am I doing something 
wrong? Am I missing something else to configure? 

Thanks!

- Xavier -



-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/07f60180-e7ed-4c1b-a6fa-f5d119c2f0a1n%40apereo.org.

Reply via email to