[Openid-specs-ab] Use new jwks registration parameter to provision keys to clients?

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Thu Nov 21 21:05:49 UTC 2013

Hi guys,

Ticket #903 that Nat posted calls for a new jwks parameter to enable
native clients to register their public keys directly with the provider:


What do you think of allowing this parameter to also be used as simple
mean to provision clients with keys generated by the provider? Do you
see any problems with that? I find this a very attractive option for a
use case that we face. Currently there's no standard OIDC way to
provision keys to clients when they register.

It could work like this:

The client sends a registration request that implies use of an
asymmetric key (e.g. JWT private key auth, or signed requests) but
doesn't provide any jwks_url or jwks parameter. In that case the server
generates a key pair and returns it with the jwks parameter in the
response JSON.



Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com

More information about the Openid-specs-ab mailing list