Why does an RSA JWK with "x5u" require "e" and "n"?
Issue #52
closed
Doesn't "x5u" mean the key is somewhere else? If so, why would I include it in the JWK and the link? This is more of a question about the standard... but I think it might warrant a library change if I'm right, so I wanted to get your take as well.
Asked with links to the RFCs here: https://ask.auth0.com/t/jwk-i-dont-understand-the-x5u-parameter.
Comments (3)
-
repo owner
-
Thanks for the explanation. I was planning to store links to the keys in a JWKS file (like a manifest), but if that's not supported I'll just store the keys separate. It doesn't look like I can close this, but feel free to.
-
repo owner
- changed status to closed
You're welcome. Closing...
- Log in to comment
x5u and x5c are optional and provide additional information about the key. The parameters that make up the key are always required. That's just how JWK is. The x5* things are more of a bridge to X.509 certificates within JWK/JOSE than anything else. There is duplicate information but it was deemed an okay trade off for the simplicity of always having the main key parameters in a JWK.
While I did push for what eventually became x5c in JWK (https://www.ietf.org/proceedings/86/slides/slides-86-jose-3.pdf), I've honestly never really seen the case for x5u in JWK. Seems to make more sense in JWS but things happen sometimes and it found its way to JWE and JWK too.
I'm not sure exactly what you're looking to do. But going from public keys or certs into JWK is pretty straight forward.
And you can set x5u on it or x5c or whatever too.
If you want a list of x5u things somewhere, you can certinally do that. It's just not JWK.
And maybe the x5u header JWT/JWS header parameter would be useful?