Federation: Jwks not really needed in explicit registration statement returned to RP
In explicit registration the OP returns an entity statement to the RP where the RP is the subject and the metadata policy is used to compose the final client registration JSON object.
https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.9.2.2.2
According to the entity statement spec the jwks
claim is required, but in this particular use of the statement - to return the client information to the RP, it’s not really needed since it’s the RPs own data.
https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.2.1
Comments (3)
-
-
reporter Thanks. Here is one suggested wording to update the jwks spec (added a second sentence):
jwks
OPTIONAL. A JSON Web Key Set (JWKS) representing the public part of the subject entity's signing keys. REQUIRED in all entity statements except those issued by an OP for a RP in response to an explicit client registration request as specified in Section 9.2. The corresponding private key is used by leaf entities to sign entity statements about themselves, and intermediate entities to sign statements about other entities. The keys that can be found here are primarily intended to sign entity statements and should not be used in other protocols.
-
reporter - changed status to resolved
I see an edit was already applied: https://github.com/rohe/oidcfederation/commit/4ff5567e8835ec614139d3581ed576e9904c984f
- Log in to comment
Correct