[Openid-specs-ab] Dynamic client registration and software statements
joseph at authlete.com
Fri Jan 11 10:17:05 UTC 2019
> On 9 Jan 2019, at 16:22, George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> Also, if the client is going to be a mobile app client and generate a private key locally on the device (or via trusted hardware) it seems that it MUST use the 'jwks' parameter and NOT the 'jwks_uri' parameter. However, the use of the 'jwks' parameter is kind of discouraged by the spec language saying that 'jwks_uri' should be used if possible do to "key rotation not supported" with the 'jwks' parameter.
I’m not sure if I follow that ‘MUST’ point - I was involved a system last year that use dynamically registered mobile devices with per-device keys & rotation. For various reasons those clients did use a jwks_uri, and the design involved a jwks hosting service - the client could rotate it’s keys by (if I remember correctly) obtaining a short-lived access token with a specific scope from the token endpoint which it could then use to call the “add new key” API in the jwks service.
An approach like you outline using jwks seems equally valid (and would likely have been easier), but we were limited as the particular Authorization Server (that the client did not want to move away from) did not have any support for rotating keys registered that way.
More information about the Openid-specs-ab