Registration 2 - Native clients typically cannot use jwks_uri
Currently, it only has jwks_uri. A native client cannot make use of it.
Proposal:
Add jwks above jwks_uri as:
jwks
OPTIONAL. The Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
Comments (5)
-
-
Could we extend the use of the jwks parameter as a mean to provision keys to clients?
-
Account Deleted If we do this, then we should definitely have it go both ways.
-
- changed title to Registration 2 - Native clients typically cannot use jwks_uri
-
- changed status to resolved
Fixed
#903- Added the "jwk" Registration parameter to enable the Client's JWK Set to be passed by value, if necessary.→ <<cset 909cf769b17b>>
- Log in to comment
There are a few places in core that probably need to be updated along with this. The client part of http://openid.bitbucket.org/openid-connect-core-1_0.html#SigEncKey for example.
Probably also should say that the client can only register jwks_uri or jwks but not both.
And might it be worth saying that jwks_uri is preferred and that jwks should only be used by clients (i.e. native) that don't have the ability to host a web endpoint?