In light of the question in https://bitbucket.org/openid/fapi/issues/200/ciba-signed-authentication-request I took another look at the spec and I don't think we provide enough guidance about jwks_uris in the spec.
I don't have a concrete proposal for this at the moment, but I'm opening up this issue as a placeholder.
@fgyara
+1 to the suggestion given in 1. It is just a clarification.
For the first half of 2., +1 again.
For the second half of 2., we probably should create another ticket and disucss there.
We discussed this on the call. @ve7jtb was going to look around the various RFCs to see where the jwks_uri is defined and what security considerations there are around it.
I said that I would propose some text to make it clear which parts of the spec require the client to register a set of JSON web keys (either by registering a jwks_uri or registering a jwks directly).
PR merged
Some suggestions on the JWKS and also on the JOSE header:
The JWKS should be served over TLS. We could use the same rules. Although FAPI 8.5 states "all interactions shall be encrypted with TLS", we may want to be specific that the jwks_uri has to be an https.
The JOSE headers for
x5uandjkushould not be used or should at least be validated so that they match the jwks_uri that the client registered with / that the authorisation server advertised on its .well-knownOn a slightly different note, the jwks_uri is a string rather than an array and that it quite limiting in federated scenarios. Can we add any guidance around what should happen in those situations ?