Hi,
I am currently working with the SimpleSAMLphp OIDC module and trying to use ECDSA (ES256) for signing tokens instead of RSA.
I encountered multiple issues that seem to indicate incomplete or inconsistent support for ECDSA.
1. JWK generation issue
In JsonWebKeySetService::prepareProtocolJwkSet(), the implementation uses:
JWKFactory::createFromKeyFile($certificatePath, ...)
However, $certificatePath points to an X.509 certificate file (.crt), not a private key.
According to the JWT Framework documentation, createFromKeyFile() expects a key file, while certificates should be loaded using:
JWKFactory::createFromCertificateFile()
This mismatch causes failures when using ECDSA certificates, while RSA may work by coincidence.
2. Access token verification issue
In BearerTokenValidator, the signer is hardcoded to RSA:
use Lcobucci\JWT\Signer\Rsa\Sha256;
Configuration::forSymmetricSigner(...)
This causes ES256 tokens to fail verification with:
Access token could not be verified
The validator should dynamically select the signer based on the token's alg header (e.g., ES256 vs RS256), and use forAsymmetricSigner().
3. Expected behavior
- The module should support both RS256 and ES256
- JWK generation should correctly use certificate-based loading
- Token verification should dynamically select the correct signer
4. Questions
- Is ECDSA (ES256) officially supported by this module?
- If yes, what is the correct way to configure keys and certificates?
- Should certificates be combined with private keys, or kept separate?
- Is there a recommended key generation procedure?
5. Suggested fixes
- Replace
createFromKeyFile() with createFromCertificateFile() when loading certificates
- Refactor
BearerTokenValidator to support multiple algorithms (RS256, ES256)
Any guidance would be greatly appreciated.
Thanks!
Hi,
I am currently working with the SimpleSAMLphp OIDC module and trying to use ECDSA (ES256) for signing tokens instead of RSA.
I encountered multiple issues that seem to indicate incomplete or inconsistent support for ECDSA.
1. JWK generation issue
In
JsonWebKeySetService::prepareProtocolJwkSet(), the implementation uses:However,
$certificatePathpoints to an X.509 certificate file (.crt), not a private key.According to the JWT Framework documentation,
createFromKeyFile()expects a key file, while certificates should be loaded using:This mismatch causes failures when using ECDSA certificates, while RSA may work by coincidence.
2. Access token verification issue
In
BearerTokenValidator, the signer is hardcoded to RSA:This causes ES256 tokens to fail verification with:
The validator should dynamically select the signer based on the token's
algheader (e.g., ES256 vs RS256), and useforAsymmetricSigner().3. Expected behavior
4. Questions
5. Suggested fixes
createFromKeyFile()withcreateFromCertificateFile()when loading certificatesBearerTokenValidatorto support multiple algorithms (RS256, ES256)Any guidance would be greatly appreciated.
Thanks!