[Openid-specs-ab] Issue #1371: Simplify passing the public key to the RP (openid/connect)
David Chadwick
issues-reply at bitbucket.org
Thu Dec 9 18:20:27 UTC 2021
New issue 1371: Simplify passing the public key to the RP
https://bitbucket.org/openid/connect/issues/1371/simplify-passing-the-public-key-to-the-rp
David Chadwick:
The existing proposed method of sending the public key from the SIOP to the RP is not optimum. It requires creating the hash of the public key and then sending the public key alongside it.
Section 3.4 of RFC 7638 describes how it works. First a hashing algorithm has to be agreed out of band, then data canonicalisation has to be performed. Both of these steps can lead to grief.
Then the public key has to be obtained and the recipient recompute the hash and see if it matches the received hash.
I would therefore propose a much simpler and less error prone method for sharing the public key as a URI, namely, the key holder takes the JSON specification of the public key as specified in RFC 7517 then base64 encodes it. The recipient simply base 64 decodes the structure and ends up with the JWK. No canonicalisation is needed because the recipient gets the JSON object the sender encoded. No hashing algorithm has to be agreed out of band.
The public key can be made into a URI in a similar fashion to the thumprint e.g.
* `urn:ietf:params:oauth:jwk:<base 64 encoding public key parameters>`
More information about the Openid-specs-ab
mailing list