Federation: The OP Constructing the Response - Clarify which keys need to be preserved to facilitate roll-over

Issue #1174 resolved
Vladimir Dzhuvinov created an issue

In https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.

At this point, if there already exists a client registration under the same entity identifier then that registration MUST be regarded as invalid. Note that key material from the previous registration MUST be kept to make key rollover possible.

Is this the entity JWK set or the JWK set referenced by the client metadata ( jwks_uri or jwks)?

  1. If it’s the entity statement JWK set we don’t quite understand why these will need to be kept after an update.
  2. As for the jwks_uri / jwks, the roll-over is managed by the RP / client, by simply keeping the old keys in the set, until no longer used.

If some roll-over needs to happen re 1 (entity statement JWK set) then this could also be managed by the client, thus making the requirement for the OP redundant.

Comments (2)

  1. Roland Hedberg

    Saving key material from the previous registration is not necessary for the OP to work but may be necessary to prove that accepting a trust chain when the old keys where active was correct.

  2. Log in to comment