perlboy
commented
4 years ago This question seems like it's more appropriate at Consumer Data Standards github as this GitHub is for Register only consultation.
Nonetheless, JWKS is an internationally defined format with an IANA registration and, as you've indicated, is covered in RFC 7517 under Section 5. Holder's make theirs available within their OIDC inherited, CDS mandated, discovery document. While there is some "common" URI's for the jwks document to be made available on ultimately it is up to the Holder provided the link in the Discovery document is appropriate.
Since the JWKS endpoint is inherited primarily from OIDC specifications which are mandated as InfoSec requirements (not Resource Server ones) a swagger specification is neither necessary nor possible because OIDC comms are, by and large, form encoded (in fact JWKS is the only one that is JSON) and response content is OIDC specific (for instance, it uses space separated lists of strings not a JSON array). Please refer to the OpenID Connect specification for a more contextual understanding.
The ConsumerDataStandards website talks about a JWKS endpoint that needs to be exposed by both data holder and data recipient. The swagger link for DCR (https://cdr-register.github.io/register/includes/swagger/swagger_dcr.json) does not say anything about JWKS end point specs, however there is a mention about the RFC 7517 for JWKS endpoint. The question is:
Can a data holder simply follow RFC and come up with their own response structure for the JWKS endpoint or would ACCC be providing the Swagger specs for this API?