From fc7cf86318e241925e06725f373885e9ff77c9f1 Mon Sep 17 00:00:00 2001 From: Moncef Belyamani Date: Tue, 17 Dec 2024 14:16:48 -0500 Subject: [PATCH 1/3] Update JWT docs for outgoing security events According to the idp code, we are sending the `kid` header for outgoing security events, and we also include the `exp` claim. However, those were not documented, and we had a partner ask us why we don't send the `kid` header. They assumed that we don't because they believed the documentation. --- _pages/security-events.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/_pages/security-events.md b/_pages/security-events.md index 4c44ab44..4461fc15 100644 --- a/_pages/security-events.md +++ b/_pages/security-events.md @@ -323,6 +323,9 @@ s41MmdQzalGuKMX3Hr7Rn5xtnmJiQ5HQ7pcdCh5ZidWvw7VcblStN-rTLEBCUUO14pCfdAzVCs09Wb1W * **typ** (string) The type header will be set to **secevent+jwt** +* **kid** (string) + The kid header provides a hint indicating which key was used to sign the JWT + #### JWT Claims * **aud** (string) @@ -340,6 +343,9 @@ s41MmdQzalGuKMX3Hr7Rn5xtnmJiQ5HQ7pcdCh5ZidWvw7VcblStN-rTLEBCUUO14pCfdAzVCs09Wb1W * **events** An object containing an event, keyed by event type. The keys and values depend on the event types, see [Supported Outgoing Events](#supported-outgoing-events) for event types and their payloads. +* **exp** (integer) + Time at which the JWT expires (12 hours after it was issued), an integer timestamp representing the number of seconds since the Unix Epoch. + ### Response Login.gov will interpret any response other than a 200-level status as a failure, and will ignore any response body. Failure requests may be retried. From 79be3912a36d912373bcb5a499a5f719ddf61d39 Mon Sep 17 00:00:00 2001 From: Moncef Belyamani Date: Tue, 17 Dec 2024 14:29:30 -0500 Subject: [PATCH 2/3] Link to OIDC certs in "kid" description Co-authored-by: Mitchell Henke --- _pages/security-events.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_pages/security-events.md b/_pages/security-events.md index 4461fc15..2d9e4515 100644 --- a/_pages/security-events.md +++ b/_pages/security-events.md @@ -324,7 +324,7 @@ s41MmdQzalGuKMX3Hr7Rn5xtnmJiQ5HQ7pcdCh5ZidWvw7VcblStN-rTLEBCUUO14pCfdAzVCs09Wb1W The type header will be set to **secevent+jwt** * **kid** (string) - The kid header provides a hint indicating which key was used to sign the JWT + The kid header provides a hint indicating which key was used to sign the JWT. The keys are listed in the [Certificates Endpoint](/oidc/certificates/). #### JWT Claims From 268e6c3c791b642b5f392a3bbd83bc0788090b83 Mon Sep 17 00:00:00 2001 From: Mitchell Henke Date: Wed, 18 Dec 2024 12:14:49 -0600 Subject: [PATCH 3/3] update example request to include kid --- _pages/security-events.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_pages/security-events.md b/_pages/security-events.md index 2d9e4515..859b2abb 100644 --- a/_pages/security-events.md +++ b/_pages/security-events.md @@ -303,11 +303,11 @@ POST /events Host: agency.example.gov Content-Type: application/secevent+jwt Accept: application/json -eyJ0eXAiOiJzZWNldmVudCtqd3QiLCJhbGciOiJSUzI1NiJ9 +eyJ0eXAiOiJzZWNldmVudCtqd3QiLCJraWQiOiJmNWNlMTIzOWUzOWQzZGE4MzZmOTYzYmNjZDg1Zjg1ZDU3ZDQzMzVjZmRjNmExNzAzOWYyNzQzNjFhMThiMTNjIiwiYWxnIjoiUlMyNTYifQ . eyJpc3MiOiJodHRwczovL2lkcC5pbnQuaWRlbnRpdHlzYW5kYm94Lmdvdi8iLCJqdGkiOiJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiIsImlhdCI6MTU5NTUzMjE3OCwiYXVkIjoiaHR0cHM6Ly9hZ2VuY3kuZXhhbXBsZS5nb3YvZXZlbnRzIiwiZXZlbnRzIjp7Imh0dHBzOi8vc2NoZW1hcy5vcGVuaWQubmV0L3NlY2V2ZW50L3Jpc2MvZXZlbnQtdHlwZS9pZGVudGlmaWVyLXJlY3ljbGVkIjp7InN1YmplY3QiOnsic3ViamVjdF90eXBlIjoiZW1haWwiLCJlbWFpbCI6ImVtYWlsQGV4YW1wbGUuY29tIn19fX0 . -s41MmdQzalGuKMX3Hr7Rn5xtnmJiQ5HQ7pcdCh5ZidWvw7VcblStN-rTLEBCUUO14pCfdAzVCs09Wb1WR8KqPwyTkmvYPiRMr2A_zr8VMKF1bfKhzLMhZnUB1N_elqJXJXjpUy9u7YnoT32VFtwp-8xmwb0g6esLYhVP4yPztAj4NxqQcy7vQ3xpEXiYcUBBKAoC6d3BkaeRSQziOQJQZQ93her8sj9XrvvlHCjqOz1QQd1uUnlV3p9rI13WDoyAHAL6tn_Dv3FqgiFgUWmh3wlsiVFHABUMUJy_XK3FeG5ULsmvNitmpQRIBjAmHLldZ3E5uNGatFQJscuxvlrhLA +KS0KvsV0eIRIhvg8wGdN6luIgsXi4nqp9ZY3OF2ft2fUwsk5rk2O_e2-I2Lf8yj0HN1BQ8IIAChWB9_dv-FMAFhShcCpuSHP_dQzBXLATc57PC0fAOZwqAgBuwnB08Z6o_I0OyBZCla5SctYwk1mfK0Wyup7EHdszvuc3i8K5uJV0bPii-VKbJ3YFnMcJD3OVaU3CkaJTqnmdtxYb02uWvImK5D3H9aPgQgJUYsARN-qMmcn5vUGCxWXpMmV53X-Czcf9RGBiK4ZLHL4st2Sxjza3UzC_p_S82rff_g-pJvZbIXL_II02gF9jOsMXELfaX40_SFsnyY6HDCOy3HIAw ``` #### HTTP Request