[Openid-specs-fapi] How can RS get clients' public keys without a federation
Kosuke Koiwai
kkoiwai at gmail.com
Mon Oct 7 03:54:16 UTC 2024
Dear FAPIers,
When a client uses a sender-constrained access token to access a
resource server, the RS has to know the public key of the client.
In a federated situation, it can be easily done, but without a
federation, what is the standard or best practice to share the public
keys of clients between AS and RS?
A possible solution could be an extension to the OAuth2.0 Token
Introspection, or adding jks claims to the JSON Web Token (JWT)
Profile for OAuth 2.0 Access Tokens.
Is there a standard or de-facto spec for this?
Thanks,
Kosuke
More information about the Openid-specs-fapi
mailing list