[Openid-specs-ab] Issue #1332: is sub_jwk required or not if sub_type is "did"? (openid/connect)
peppelinux
issues-reply at bitbucket.org
Sat Sep 4 23:21:28 UTC 2021
New issue 1332: is sub_jwk required or not if sub_type is "did"?
https://bitbucket.org/openid/connect/issues/1332/is-sub_jwk-required-or-not-if-sub_type-is
Giuseppe:
In [https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1\_0.html#section-6.3-2.2.2.1.1](https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1_0.html#section-6.3-2.2.2.1.1) we read
did
_Decentralized Identifier sub type. When this subject type is used, the sub value MUST be a DID defined in \[DID-CORE\], and **sub\_jwk MUST NOT be included in the Self-Issed OP response**. The subject type MUST be cryptographicaly verified against the resolved DID Document as defined in Self-Issued OP Validati_on.
But in [https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1\_0.html#section-7.2-3.2.2.1.1](https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1_0.html#section-7.2-3.2.2.1.1) we read
sub\_jwk
_**When sub type is did, sub\_jwk MUST contain a kid that is a DID URL** referring to the verification method in the Self-Issued OP's DID Document that can be used to verify the JWS of the idtoken directly or indirectly. The sub\_jwk value is a JSON object. Use of the sub\_jwk Claim is NOT RECOMMENDED when the OP is not Self-Issued_
excuse me in advance if it was my trivial misunderstanding of the textexcuse me in advance if it was my trivial misunderstanding of the text
More information about the Openid-specs-ab
mailing list