[Openid-specs-ab] Issue #1332: is sub_jwk required or not if sub_type is "did"? (openid/connect)

peppelinux issues-reply at bitbucket.org
Sat Sep 4 23:21:28 UTC 2021


New issue 1332: is sub_jwk required or not if sub_type is "did"?
https://bitbucket.org/openid/connect/issues/1332/is-sub_jwk-required-or-not-if-sub_type-is

Giuseppe:

In [https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1\_0.html#section-6.3-2.2.2.1.1](https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1_0.html#section-6.3-2.2.2.1.1) we read  
  
did  
_Decentralized Identifier sub type. When this subject type is used, the sub value MUST be a DID defined in \[DID-CORE\], and **sub\_jwk MUST NOT be included in the Self-Issed OP response**. The subject type MUST be cryptographicaly verified against the resolved DID Document as defined in Self-Issued OP Validati_on.

  
But in [https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1\_0.html#section-7.2-3.2.2.1.1](https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1_0.html#section-7.2-3.2.2.1.1) we read  
  
sub\_jwk  
_**When sub type is did, sub\_jwk MUST contain a kid that is a DID URL** referring to the verification method in the Self-Issued OP's DID Document that can be used to verify the JWS of the idtoken directly or indirectly. The sub\_jwk value is a JSON object. Use of the sub\_jwk Claim is NOT RECOMMENDED when the OP is not Self-Issued_

  
excuse me in advance if it was my trivial misunderstanding of the textexcuse me in advance if it was my trivial misunderstanding of the text


More information about the Openid-specs-ab mailing list