[Openid-specs-fapi] JWT Secured Authorization Response Mode (#155)

Brian Campbell bcampbell at pingidentity.com
Fri Aug 17 13:24:05 UTC 2018

On Thu, Aug 16, 2018 at 7:03 AM Torsten Lodderstedt <torsten at lodderstedt.net>

> > Am 15.08.2018 um 21:44 schrieb Brian Campbell <
> bcampbell at pingidentity.com>:
> >
> > 4.3 Processing Rules has "(OPTIONAL) The JWT is decrypted using the key
> material registered with the expected issuer of the response."
> >
> > But isn't decryption done with the client's own private key?
> Sure. What I wanted to say is the client should use its private key
> registered for that purpose with the AS (also fits your comment on client
> metadata parameters).

Yeah, that. The AS has the client's public key(s) marked with a "use":"enc"
via the client's metadata jwks or jwks_uri. And the client has the private
part in a private place.

Very similar to
http://openid.net/specs/openid-connect-core-1_0.html#Encryption and
http://openid.net/specs/openid-connect-core-1_0.html#RotateEncKeys in many

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180817/9fcad1a7/attachment-0001.html>

More information about the Openid-specs-fapi mailing list