[Openid-specs-ab] Issue #192: OP-Registration-jwks setting jwks_uri to null (openid/certification)

Quentin Castel issues-reply at bitbucket.org
Tue Feb 14 15:50:33 UTC 2017


New issue 192: OP-Registration-jwks setting jwks_uri to null
https://bitbucket.org/openid/certification/issues/192/op-registration-jwks-setting-jwks_uri-to

Quentin Castel:

# Description

The current OP-Registration-jwks test is sending both JWKS_URI and JWKS but the JWKS_URI is null.
The spec says that `The jwks_uri and jwks parameters MUST NOT be used together.`

Our current interpretation is that we shouldn't receive a json with both the jwks_uri and jwks.
So we implemented a check like this:

```
if (request.contains(jwks_uri) and request.contains(jwks)) {
  => reject it
}

```

We thought that maybe it was a mistake on the test to actually send the jwks_uri = null?
The standard doesn't mention a "valid jwks_uri and jwks" so receiving null can be considered as a value?


```
#!log

0.788284 ------------ RegistrationRequest ------------
0.788744 --> URL: https://ec2-54-213-25-148.us-west-2.compute.amazonaws.com:13081/openam/oauth2/connect/register
0.788752 --> BODY: {"token_endpoint_auth_method": "private_key_jwt", "subject_type": "public", "jwks_uri": null, "jwks": {"keys": [{"use": "enc", "n": "tx3Hjdbc19lkTiohbJrNj4jf2_90MEE122CRrwtFu6saDywKcG7Bi7w2FMAK2oTkuWfqhWRb5BEGmnSXdiCEPO5d-ytqP3nwlZXHaCDYscpP8bB4YLhvCn7R8Efw6gwQle24QPRP3lYoFeuUbDUq7GKA5SfaZUvWoeWjqyLIaBspKQsC26_Umx1E4IXLrMSL6nkRnrYcVZBAXrYCeTP1XtsV38_lZVJfHSaJaUy4PKaj3yvgm93EV2CXybPti7CCMXZ34VqqWiF64pQjZsPu3ZTr7ha_TTQq499-zYRQNDvIVsBDLQQIgrbctuGqj6lrXb31Jj3JIEYqH_4h5X9d0Q", "e": "AQAB", "kty": "RSA", "kid": "a0"}, {"use": "sig", "n": "zfZzttF7HmnTYwSMPdxKs5AoczbNS2mOPz-tN1g4ljqI_F1DG8cgQDcN_VDufxoFGRERo2FK6WEN41LhbGEyP6uL6wW6Cy29qE9QZcvY5mXrncndRSOkNcMizvuEJes_fMYrmP_lPiC6kWiqItTk9QBWqJfiYKhCx9cSDXsBmJXn3KWQCVHvj1ANFWW0CWLMKlWN-_NMNLIWJN_pEAocTZMzxSFBK1b5_5J8ZS7hfWRF6MQmjsJcz2jzA21SQZNpre3kwnTGRSwo05sAS-TyeadDqQPWgbqX69UzcGq5irhzN8cpZ_JaTk3Y_uV6owanTZLVvCgdjaAnMYeZhb0KFw", "e": "AQAB", "kty": "RSA", "kid": "a1"}, {"use": "sig", "crv": "P-256", "kty": "EC", "
 y": "wjs
 rQzgg-1fSCvg33YTJZSaJjmOSoYMv9JA9AD13jUU", "x": "RhBV9-mW7i0HA3SHx-BahAqmyu9EQsClYDOUknvktoI", "kid": "a2"}, {"use": "enc", "crv": "P-256", "kty": "EC", "y": "w3Nm27N8994v1ot6EeTlBqBTSbficMBqXmEKyfX3xvw", "x": "-SSIRDpjA-a6Tk2V2KsThRgUV8EU2gBjcmGd3DygnA0", "kid": "a3"}]}, "application_type": "web", "contacts": ["roland.hedberg at umu.se"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60592/logout"], "redirect_uris": ["https://op.certification.openid.net:60592/authz_cb", "https://op.certification.openid.net:60592/cb"], "response_types": ["code"], "require_auth_time": true, "grant_types": ["authorization_code"], "default_max_age": 3600}
0.788764 --> HEADERS: {'Content-Type': 'application/json'}
```




More information about the Openid-specs-ab mailing list