jwtthinktecture-ident-model

Why does OidcClient not support validating a jwt signed using symmetric key /client secret


Although Thinktecture.IdentityServer supports signing a jwt using a symmetric key, the OidcClient class does not support validating a token using one - it only supports validating tokens signed using a certificate. Is this deliberate and are there problems or any limitations with signing a jwt with the client secret? I am getting some push back with requiring client apps to have a certificate and if I can avoid it without compromising security I would like to do so.


Solution

  • IIRC OidcClient is quite old - we just did not implement it. And you apps don't need a certificate, they just need to be able to verify a signature using asymmetric crypto.

    Using a symmetric key makes only sense for server-based apps since that key must be stored securely (otherwise anyone who reverse engineers the app can create valid identity tokens).

    The other option is to send the id token back to idsrv to validation (for clients that don't have the required crypto libraries). This endpoint does not exist currently in beta 1 - but is on our todo list.