[Federation] Specify requirement for the JWT "kid" header in Entity Statements, etc

OpenID Federation defines four JWTs signed with federation entity keys:

Entity Statement
Resolve response
Signed JWK set obtained from the historical keys endpoint
Trust Marks

For these JWTs we need to specify whether the “kid” header parameter is required.

According to the current spec federation JWKs must include a “kid”:

jwks

REQUIRED. A JSON Web Key Set (JWKS) [RFC7517] representing the public part of the subject's Federation Entity signing keys. The corresponding private key is used by the Entity to sign the Entity Configuration about itself, and by Trust Anchors and Intermediate Entities to sign Subordinate Statements about their Immediate Subordinates. The public keys are used to verify the signatures of the issued Entity Statements and Trust Marks and SHOULD NOT be used in other protocols. (Keys to be used in other protocols, such as OpenID Connect, are conveyed in the metadata elements of the respective Entity Statements.) This claim is only OPTIONAL for the Entity Statement returned from an OP when the client is doing Explicit Registration. In all other cases, it is REQUIRED. Every JWK in the JWK Set MUST have a unique kid (Key ID) value. It is RECOMMENDED that the Key ID be the JWK Thumbprint [RFC7638] using the SHA-256 hash function of the key.

‌

Comments (5)