[Openid-specs-ab] Issue #1007: Registration: Client jwks / jwks_uri must not contain private key material (openid/connect)
issues-reply at bitbucket.org
Wed Dec 28 07:43:54 UTC 2016
New issue 1007: Registration: Client jwks / jwks_uri must not contain private key material
The client registration spec should state explicitly that the client JWK set must not contain any private or secret keys. The OP must also reject such registration requests, to make the client developers aware of the leakage.
This can be stated in section 2 Client Metadata and in section 9 Security Considerations.
> **2. Client Metadata**
> **jwks_uri** ... The JWK Set MUST contain public keys only.
> **9.2 Private and Secret Key Leakage**
> The Client's JSON Web Key Set [JWK] document, as specified by the jwks_uri and jwks Client Metadata values, MUST be validated by the Server to ensure no private or secret key material is present in it. If such validation of the JWK set fails the Server MUST reject the registration request with an appropriate error message to make the Relying Party aware of the key leakage.
I became aware of this problem in the OP cert tests, where the test RP tried to register itself with private key material in the "jwks" / "jwks_uri" parameter.
More information about the Openid-specs-ab