- edited description
is sub_jwk required or not if sub_type is "did"?
In https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1_0.html#section-6.3-2.2.2.1.1 we read
did
_Decentralized Identifier sub type. When this subject type is used, the sub value MUST be a DID defined in [DID-CORE], and sub_jwk MUST NOT be included in the Self-Issed OP response. The subject type MUST be cryptographicaly verified against the resolved DID Document as defined in Self-Issued OP Validati_on.
But in https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1_0.html#section-7.2-3.2.2.1.1 we read
sub_jwk
When sub type is did, sub_jwk MUST contain a kid that is a DID URL referring to the verification method in the Self-Issued OP's DID Document that can be used to verify the JWS of the idtoken directly or indirectly. The sub_jwk value is a JSON object. Use of the sub_jwk Claim is NOT RECOMMENDED when the OP is not Self-Issued
excuse me in advance if it was my trivial misunderstanding of the text.
Comments (6)
-
reporter -
- changed status to open
-
-
assigned issue to
-
assigned issue to
-
The correct statement is
When sub type is did, sub_jwk MUST NOT be included
I will make sure this is corrected when we will be merging DW’s upcoming PR about resolvable subject identifiers
-
addressed in PR #68 - will close this issue when this PR gets merged.
-
- changed status to resolved
PR #68. please let the editors know if it's still not clear enough.
- Log in to comment