[Openid-specs-ab] Issue #1471: certification team query: allowing key rotation during tests (openid/connect)

[josephheenan]

New issue 1471: certification team query: allowing key rotation during tests
https://bitbucket.org/openid/connect/issues/1471/certification-team-query-allowing-key

Joseph Heenan:

The certification team have recently received a request from an OP that is failing I believe pretty much every OpenID Connect Core Basic profile test.

The request is that all tests support key rotation whilst the test is running, and potentially multiple new keys during a test. \(Currently the tests assume that all the keys needed for the test are present in the server jwks\_uri at the start of the test.\)

The reason the OP is requesting this is, as I understand it, that they dynamically create a new key in the server jwks\_uri each time an id\_token is issued.

From memory, I recall that previously we’ve explicitly allowed RPs to rate-limit fetching of the jwks\_uri; I forget the exact details but I believe there are clients that \(even when presented with an unknown kid\) won’t refetch jwks\_uri if they’ve fetched it in the last \(say\) 60 seconds - and that position seems incompatible with the requested change.

Any guidance from the working group would be welcome.