[Openid-specs-fapi] Duplicate kids in jwks

Joseph Heenan joseph at authlete.com
Fri Jan 17 05:13:42 UTC 2020

Hi all,

I wanted to direct the FAPI working group to this discussion within the Connect working group:

https://bitbucket.org/openid/connect/issues/1127 <https://bitbucket.org/openid/connect/issues/1127>

Namely that duplicate kids are not permitted in JWKS.

A test for this was recently added to all the conformance tests, which caused one of the UK banks to opine:

> it is valid for the JWK endpoint to return multiple KID instances, one for each ‘alg’ supported?
> The spec calls for the alg PS256 or longer to be supported, so we also have (for instance) PS384, PS512. And although we may show a couple that we don’t need, my point is that it must be valid to show multiple key entries to support multiple valid alg values. 

To some extent this seems a reasonable point, reusing a key across across two algs that can use the same key seems ok, and arguably perhaps better than having the key once without an ‘alg’ specified.

As this affects the FAPI certification tests, I wanted to check the FAPI WG agrees with the decision in https://bitbucket.org/openid/connect/issues/1127 <https://bitbucket.org/openid/connect/issues/1127> - any opinions (positive & negative) would be great please.


Joseph Heenan
OpenID Certification Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200117/093b85fe/attachment.html>

More information about the Openid-specs-fapi mailing list