[Federation] OP Metadata should have at least one of jwks of signed_jwks_uri as REQUIRED
Issue #1505
resolved
in 4.2. OP Metadata we have
signed_jwks_uri
OPTIONAL. A URI pointing to a signed JWT having the ...
jwks
OPTIONAL. JSON Web Key Set document, passed by value ...
we should say that signed_jwks_uri is REQUIRED if jwks is absent and vice versa.
it would be “REQUIRED if jwks is absent.“ and “REQUIRED if jwks is absent.“ is there any suggestion for a better definition?
Comments (3)
-
reporter
-
In https://openid.net/specs/openid-connect-registration-1_0.html
Under jwks it says among other things:
“If a Client can use
jwks_uri, it MUST NOT usejwks.” and“The
jwks_uriandjwksparameters MUST NOT be used together.”We could use the same wording. Substituting jwks_uri with signed_jwks_uri .
Interesting enough it nowhere says you MUST have one or the other. Only using symmetric key crypto works if you use explicit client registration where the OP returns a client_secret. It doesn’t work for automatic client registration.
-
reporter
- changed status to resolved
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
the same for 4.1. RP Metadata
It should be REQUIRED if jwks and jwks_uri are absent