<p>Ashish Maheshwari, Software Engineer, Verizon Media</p> <p>In this post, we will outline a change in the way we expose the JSON Web Key (JWK) for our public Elliptic-curve (EC) key at this endpoint: <a href="https://api.login.yahoo.com/openid/v1/certs">https://api.login.yahoo.com/openid/v1/certs</a>, as well as, immediate steps users should take. Impacted users are any clients who parse our JWK to extract the EC public key to perform actions such as verify a signed token.</p> <p>The X and Y coordinates of our EC public key were padded with a sign bit which caused it to overflow from 32 to 33 bytes. While most of the commonly used libraries to parse a JWK to public key can handle the extra length, others might expect a length strictly equal to 32 bytes. This change can be a breaking change for those.</p> <p>Here are the steps affected users should take:</p> <ul><li>Any code/flow which needs to extract our EC public key from the JWK needs to be tested for this change. Below is our pre and post change production JWK for EC public key. Please verify that your code can successfully parse the new JWK. Notice the change in base64url value of the Y coordinate in the new JWK.</li> </ul><p>We are planning to make this change live on July 20th, 2020. If you have any questions/comments, please tweet <a href="https://twitter.com/ydn">@YDN</a> or <a href="mailto:oidc.issues@verizonmedia.com">email us</a>.</p> <p><strong>Current production EC JWK:</strong></p> <p>{“keys”:[{“kty”:“EC”,“alg”:“ES256”,“use”:“sig”,“crv”:“P-256”,“kid”:“3466d51f7dd0c780565688c183921816c45889ad”,“x”:“cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I”,“y”:“AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y”}]}</p> <p><strong>EC JWK after change is live:</strong></p> <p>{“keys”:[{“kty”:“EC”,“alg”:“ES256&quot;,“use”:“sig”,“crv”:“P-256&quot;,“kid”:“3466d51f7dd0c780565688c183921816c45889ad”,“x”:“cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I”,“y”:“rxX9OCD9rIaheKx6LAs4KWR6Rz1-Lj1phRCmdjUDL_I”}]}</p>