[Openid-specs-ab] Issue #1479: [Federation Metadata] jwks claim (openid/connect)
peppelinux
issues-reply at bitbucket.org
Fri Apr 22 18:19:27 UTC 2022
New issue 1479: [Federation Metadata] jwks claim
https://bitbucket.org/openid/connect/issues/1479/federation-metadata-jwks-claim
Giuseppe De Marco:
In OIDC Dynamic Client Registration we have `jwks` and `jwks_uri` as OPTIONAL claim for RPs.
In OpenID Connect Discovery 1.0 we have only `jwks_uri` as REQUIRED for OPs.
Why OpenID Connect Discovery 1.0 doesn’t have `jwks` as well, as for RP?
In OpenID Federation we have `signed_jwks_uri` for RP and OP, as OPTIONAL metadata claim.
`signed_jwks_uri` points to a signed json containing the jwks, this json MUST be signed with the jwks published in the Entity Statement of its issuer.
In the OIDC Federation specs I propose to have the `jwks` claim in the OP metadata, to allow the OIDC public keys to be signed directly in the Entity Statement and trusted with the Chain, without any additional pointer/check to another url as it is for signed\_jwks\_uri \(that adds an additional verification of the signature and then so much complexity\).
More information about the Openid-specs-ab
mailing list