[Openid-specs-fapi] JWT Secured Authorization Response Mode (#155)
bcampbell at pingidentity.com
Fri Aug 17 13:24:05 UTC 2018
On Thu, Aug 16, 2018 at 7:03 AM Torsten Lodderstedt <torsten at lodderstedt.net>
> > Am 15.08.2018 um 21:44 schrieb Brian Campbell <
> bcampbell at pingidentity.com>:
> > 4.3 Processing Rules has "(OPTIONAL) The JWT is decrypted using the key
> material registered with the expected issuer of the response."
> > But isn't decryption done with the client's own private key?
> Sure. What I wanted to say is the client should use its private key
> registered for that purpose with the AS (also fits your comment on client
> metadata parameters).
Yeah, that. The AS has the client's public key(s) marked with a "use":"enc"
via the client's metadata jwks or jwks_uri. And the client has the private
part in a private place.
Very similar to
http://openid.net/specs/openid-connect-core-1_0.html#RotateEncKeys in many
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi