To enhance the security of our platform, we are working on a new feature to update the key used for signing the ID token issued during the OpenID Connect flow. This feature will be live on March 1, 2024. Developers who have implemented ID token validation may need to make a code change.
What is happening?
Our team is making a change to start returning more than one key in the response array returned by the oauth.platform.intuit.com/op/v1/jwks endpoint.
Before March 1, 2024, the endpoint will return:
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "r4p5SbL2qaFehFzhj8gI",
"alg": "RS256",
"n": "54-aWrVT4QtCcQhOs9269d9AD…kE"
}
]
}
After March 1, 2024, the above endpoint will return:
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "r4p5SbL2qaFehFzhj8gI",
"alg": "RS256",
"n": "54-aWrVT4QtCcQhOs9269d9AD…kE"
},
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "NewKidSample",
"alg": "RS256",
"n": "NewPublicKid"
}
]
}
How does this impact me?
In the OpenID Connect flow, after making the call to exchange your auth code for an ID token, your app needs to validate the ID token and verify that the signing authority for responses is from Intuit. The recommended way to check the signature is to scan through the array of keys at oauth.platform.intuit.com/op/v1/jwks for the public key information. The kid value should match the value that was returned in the ID token header.
If you have implemented logic to validate the ID token, ensure you are looping through the array elements and finding the element that matches the kid value from the ID token header.
If your logic doesn’t loop through all the array elements and/or looks for only a specific array element for a match for kid, then your implementation may break due to the changes being implemented.
How can I validate whether I am impacted?
- Validate if you are using Intuit’s OpenID Connect – If you have not implemented OpenID Connect, this change does not impact you.
- Validate if you have implemented ID token validation – If you have not implemented ID token validation, this change does not impact you.
- Validate your ID token implementation:
- If you’re using Intuit’s official Java SDK or PHP SDK to perform ID token validation, this change does not impact you. We still recommend that you test all flows.
- If you’re using Intuit’s .NET SDK and a version prior to V14.6.3.6, then you are impacted as the code in the older versions of this SDK did not loop through the array of public keys.
- If you’re not using any of the SDKs mentioned above, check your code to see if you are looping through the array of keys or if you are picking the first element. If your code doesn’t loop through all the array elements and/or looks for only a specific array element for a match for kid, then you are impacted.
What do I need to do next?
- If you are using our Java SDK, then no action is required.
- If you are using our PHP SDK, then no action is required.
- If you are using our .Net SDK, then update it to the latest version V14.6.3.6.
- If you are not using any of our SDKs and validating the ID token through your custom code, please ensure you are following all the instructions given here, paying particular attention to the instruction “Scan through the array of keys at oauth.platform.intuit.com/op/v1/jwks for the public key information. The kid value should match the value that was returned in the ID token header.”
- If you are not validating the ID token, then your application will continue to work. However, you must validate the ID token to avoid man-in-the-middle impersonation.
When do I need to take action?
Depending on your usage of our SDK or your custom code, you need to take action (as described above) before March 1, 2024.
What if I have additional questions?
Please share them on our developer forums!
Leave a Reply