[Federation] OP Metadata should have at least one of jwks of signed_jwks_uri as REQUIRED
in 4.2. OP Metadata we have
signed_jwks_uri
OPTIONAL. A URI pointing to a signed JWT having the ...
jwks
OPTIONAL. JSON Web Key Set document, passed by value ...
we should say that signed_jwks_uri is REQUIRED if jwks is absent and vice versa.
it would be “REQUIRED if jwks is absent.“ and “REQUIRED if jwks is absent.“ is there any suggestion for a better definition?
Comments (3)
-
reporter -
In https://openid.net/specs/openid-connect-registration-1_0.html
Under jwks it says among other things:
“If a Client can use
jwks_uri
, it MUST NOT usejwks
.” and“The
jwks_uri
andjwks
parameters MUST NOT be used together.”We could use the same wording. Substituting jwks_uri with signed_jwks_uri .
Interesting enough it nowhere says you MUST have one or the other. Only using symmetric key crypto works if you use explicit client registration where the OP returns a client_secret. It doesn’t work for automatic client registration.
-
reporter - changed status to resolved
- Log in to comment
the same for 4.1. RP Metadata
It should be REQUIRED if jwks and jwks_uri are absent