[Openid-specs-fapi] Issue #740: Client's Public Key Retrieval (openid/fapi)

[Takahiko Kawasaki]

New issue 740: Client's Public Key Retrieval
https://bitbucket.org/openid/fapi/issues/740/clients-public-key-retrieval

Takahiko Kawasaki:

Are there any standards other than OpenID Federation that allow resource servers to retrieve a client’s public key? To verify an HTTP message signature in a resource request, the resource server needs the client application’s public key - that is, the counterpart to the private key used to sign the HTTP message. However, there is currently no standardized way for the resource server to obtain this public key. Has there been any discussion in the community about standardizing a method for retrieving clients' public keys?

As far as I know, OpenID Federation is currently the only standard that enables resource servers to retrieve client metadata \(and subsequently the client’s public key via the `jwks_uri` property\). However, adopting OpenID Federation is too heavy for most API systems, as it requires authorized third parties to operate trust anchors and intermediate authorities.

A straightforward solution to obtain the client’s public key might be to include a property - such as `client_jwks_uri` - in the introspection response that indicates the location of the client’s JWK Set. But I’m not sure if that’s an appropriate approach…