[Openid-specs-fapi] How can RS get clients' public keys without a federation
Kosuke Koiwai
kkoiwai at gmail.com
Mon Oct 7 06:34:52 UTC 2024
This is solved as Taka kindly shared the following links with me.
https://datatracker.ietf.org/doc/html/rfc8705#name-jwt-certificate-thumbprint-
https://datatracker.ietf.org/doc/html/rfc7800#section-3
On Mon, Oct 7, 2024 at 12:54 PM Kosuke Koiwai <kkoiwai at gmail.com> wrote:
>
> Dear FAPIers,
>
> When a client uses a sender-constrained access token to access a
> resource server, the RS has to know the public key of the client.
>
> In a federated situation, it can be easily done, but without a
> federation, what is the standard or best practice to share the public
> keys of clients between AS and RS?
>
> A possible solution could be an extension to the OAuth2.0 Token
> Introspection, or adding jks claims to the JSON Web Token (JWT)
> Profile for OAuth 2.0 Access Tokens.
> Is there a standard or de-facto spec for this?
>
> Thanks,
>
> Kosuke
More information about the Openid-specs-fapi
mailing list