Logo
 Home

Changes to identity signature keys that may impact your application

To enhance the security of our platform, we are working on a new feature to update the key used for signing the ID token issued during the OpenID Connect flow. This feature will be live on May 3, 2024. Developers who have implemented ID token validation may need to make a code change.

What is happening?

Our team is making a change to start returning more than one key in the response array returned by the oauth.platform.intuit.com/op/v1/jwks endpoint.

Before May 3, 2024, the endpoint will return:

{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "r4p5SbL2qaFehFzhj8gI",
      "alg": "RS256",
      "n": "54-aWrVT4QtCcQhOs9269d9AD…kE"
    }
  ]
}

After May 3, 2024, the above endpoint will return:

{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "r4p5SbL2qaFehFzhj8gI",
      "alg": "RS256",
      "n": "54-aWrVT4QtCcQhOs9269d9AD…kE"
    },
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "NewKidSample",
      "alg": "RS256",
      "n": "NewPublicKid"
    }
  ]
}

How does this impact me?

In the OpenID Connect flow, after making the call to exchange your auth code for an ID token, your app needs to validate the ID token and verify that the signing authority for responses is from Intuit. The recommended way to check the signature is to scan through the array of keys at oauth.platform.intuit.com/op/v1/jwks for the public key information. The kid value should match the value that was returned in the ID token header. 

If you have implemented logic to validate the ID token, ensure you are looping through the array elements and finding the element that matches the kid value from the ID token header.

If your logic doesn’t loop through all the array elements and/or looks for only a specific array element for a match for kid, then your implementation may break due to the changes being implemented.

How can I validate whether I am impacted?

  1. Validate if you are using Intuit’s OpenID Connect – If you have not implemented OpenID Connect, this change does not impact you.
  2. Validate if you have implemented ID token validation – If you have not implemented ID token validation, this change does not impact you.
  3. Validate your ID token implementation:
    • If you’re using Intuit’s official Java SDK, PHP SDK, NodeJS oAuth client library, or Python oAuth client library to perform ID token validation, this change does not impact you. We still recommend that you test all flows.
    • If you’re using a version of Intuit’s .NET SDK prior to v14.6.3.6, you are impacted because the code in the older versions of this SDK did not loop through the array of public keys.
    • If you are using a version of the Ruby oAuth client library prior to v1.0.3, you are impacted because the code did not loop through the array of public keys.
    • If you’re not using any of the SDKs mentioned above, check your code to see if you are looping through the array of keys or if you are picking the first element. If your code doesn’t loop through all the array elements and/or looks for only a specific array element for a match for kid, then you are impacted.

What do I need to do next?

  1. If you are using our Java SDK, then no action is required.
  2. If you are using our PHP SDK, then no action is required.
  3. If you are using our .Net SDK, then update it to the latest version v14.6.3.6.
  4. If you are using the Ruby oAuth client, install and use the latest versionv1.0.3.
  5. If you are using our NodeJS oAuth client, then no action is required.
  6. If you are using our Python oAuth client, then no action is required.
  7. If you are not using any of our SDKs and validating the ID token through your custom code, please ensure you are following all the instructions given here, paying particular attention to the instruction “Scan through the array of keys at oauth.platform.intuit.com/op/v1/jwks for the public key information. The kid value should match the value that was returned in the ID token header.
  8. If you are not validating the ID token, then your application will continue to work. However, you must validate the ID token to avoid man-in-the-middle impersonation.

When do I need to take action?

Depending on your usage of our SDK or your custom code, you need to take action (as described above) before May 3, 2024.

What if I have additional questions?

Please share them on our developer forums!

This article was updated on March 14, 2024, to change the implementation date of the new feature from March 1, 2024, to May 3, 2024, and to include Intuit’s NodeJS oAuth client and Python oAuth client libraries for validating ID token implementation.

Posted

in

, , ,

by

Intuit Developer Team

Tags:

, , , ,