[Openid-specs-fapi] Issue #278: duplicate kid (openid/fapi)

josephheenan issues-reply at bitbucket.org
Thu Feb 6 13:00:45 UTC 2020


New issue 278: duplicate kid
https://bitbucket.org/openid/fapi/issues/278/duplicate-kid

Joseph Heenan:

\[I’d previous sent an email to the WG list, but on the 5th Feb WG call, Nat asked me to open this as a ticket so it can be properly tracked.\]

  
I wanted to direct the FAPI working group to this discussion within the Connect working group:

[https://bitbucket.org/openid/connect/issues/1127](https://bitbucket.org/openid/connect/issues/1127)

Namely that duplicate kids are not permitted in JWKS.

A test for this was recently added to all the conformance tests, which caused one of the UK banks to opine:

> it is valid for the JWK endpoint to return multiple KID instances, one for each ‘alg’ supported?  
> The spec calls for the alg PS256 or longer to be supported, so we also have \(for instance\) PS384, PS512. And although we may show a couple that we don’t need, my point is that it must be valid to show multiple key entries to support multiple valid alg values. 

‌

To some extent this seems a reasonable point, reusing a key across across two algs that can use the same key seems ok, and arguably perhaps better than having the key once without an ‘alg’ specified.

‌

As this affects the FAPI certification tests, I wanted to check the FAPI WG agrees with the decision in [https://bitbucket.org/openid/connect/issues/1127](https://bitbucket.org/openid/connect/issues/1127) - any opinions \(positive & negative\) would be great please.

‌




More information about the Openid-specs-fapi mailing list