Registration: Client jwks / jwks_uri must not contain private key material

Issue #1007 resolved
Vladimir Dzhuvinov created an issue

The client registration spec should state explicitly that the client JWK set must not contain any private or secret keys. The OP must also reject such registration requests, to make the client developers aware of the leakage.

This can be stated in section 2 Client Metadata and in section 9 Security Considerations.

Proposed text:

2. Client Metadata


jwks_uri ... The JWK Set MUST contain public keys only.


9.2 Private and Secret Key Leakage

The Client's JSON Web Key Set [JWK] document, as specified by the jwks_uri and jwks Client Metadata values, MUST be validated by the Server to ensure no private or secret key material is present in it. If such validation of the JWK set fails the Server MUST reject the registration request with an appropriate error message to make the Relying Party aware of the key leakage.

I became aware of this problem in the OP cert tests, where the test RP tried to register itself with private key material in the "jwks" / "jwks_uri" parameter.

Comments (2)

  1. Log in to comment