CCF
CCF copied to clipboard
Published
20 hours ago •
microsoft
microsoft
Support EdDSA keys in JWT authentication policy
trafficstars
Mentioned by @achamayou here: https://github.com/microsoft/CCF/pull/6680/files#r1873482195
However, I don't find anything in the JWT/JWT RFCs about EdDSA, according to the table, there's no corresponding alg to specify that.
+--------------+-------------------------------+--------------------+
| "alg" Param | Digital Signature or MAC | Implementation |
| Value | Algorithm | Requirements |
+--------------+-------------------------------+--------------------+
| HS256 | HMAC using SHA-256 | Required |
| HS384 | HMAC using SHA-384 | Optional |
| HS512 | HMAC using SHA-512 | Optional |
| RS256 | RSASSA-PKCS1-v1_5 using | Recommended |
| | SHA-256 | |
| RS384 | RSASSA-PKCS1-v1_5 using | Optional |
| | SHA-384 | |
| RS512 | RSASSA-PKCS1-v1_5 using | Optional |
| | SHA-512 | |
| ES256 | ECDSA using P-256 and SHA-256 | Recommended+ |
| ES384 | ECDSA using P-384 and SHA-384 | Optional |
| ES512 | ECDSA using P-521 and SHA-512 | Optional |
| PS256 | RSASSA-PSS using SHA-256 and | Optional |
| | MGF1 with SHA-256 | |
| PS384 | RSASSA-PSS using SHA-384 and | Optional |
| | MGF1 with SHA-384 | |
| PS512 | RSASSA-PSS using SHA-512 and | Optional |
| | MGF1 with SHA-512 | |
| none | No digital signature or MAC | Optional |
| | performed | |
+--------------+-------------------------------+--------------------+
There's also no support for EdDSA in PyJWT we use, so e2e testing is not easily extendable.
As a part of this ticket the use of alg may also be revisited
- It's present in all JWKs mentioned in #6601 except Entra.
- However, all
.well-known/openid-configurationseem to haveid_token_signing_alg_values_supportedspecified, which has not been ever standardised, AFAICT. It may be used as a default option for the keys.
