Clarify kid format for JWT token auth in docs
The kid value can have an arbitrary format according JOSE specification, but Docker distribution expects a specific format (libtrust fingerprint) to work. This is not written in the documentation so far and is only mentioned in the libtrust source code itself. Signed-off-by: Fabio Huser <fabio@fh1.ch>
This commit is contained in:
parent
9d491698cc
commit
17756eb43e
1 changed files with 11 additions and 2 deletions
|
@ -69,8 +69,17 @@ Token has 3 main parts:
|
||||||
|
|
||||||
The header of a JSON Web Token is a standard JOSE header. The "typ" field
|
The header of a JSON Web Token is a standard JOSE header. The "typ" field
|
||||||
will be "JWT" and it will also contain the "alg" which identifies the
|
will be "JWT" and it will also contain the "alg" which identifies the
|
||||||
signing algorithm used to produce the signature. It will also usually have
|
signing algorithm used to produce the signature. It also must have a "kid"
|
||||||
a "kid" field, the ID of the key which was used to sign the token.
|
field, representing the ID of the key which was used to sign the token.
|
||||||
|
|
||||||
|
The "kid" field has to be in a libtrust fingerprint compatible format.
|
||||||
|
Such a format can be generated by following steps:
|
||||||
|
|
||||||
|
1. Take the DER encoded public key which the JWT token was signed against.
|
||||||
|
|
||||||
|
2. Create a SHA256 hash out of it and truncate to 240bits.
|
||||||
|
|
||||||
|
3. Split the result into 12 base32 encoded groups with `:` as delimiter.
|
||||||
|
|
||||||
Here is an example JOSE Header for a JSON Web Token (formatted with
|
Here is an example JOSE Header for a JSON Web Token (formatted with
|
||||||
whitespace for readability):
|
whitespace for readability):
|
||||||
|
|
Loading…
Reference in a new issue