Closed yuriyz closed 4 years ago
There are following options for software statement validation:
1) softwareStatementValidationType=script - default one, jwks and hmac secret are returned by dynamic client registration script
2) softwareStatementValidationType=jwks_uri, allows to specify jwks_uri
claim name from software_statement
. Claim name specified by softwareStatementValidationClaimName
configuration property.
3) softwareStatementValidationType=jwks, allows to specify jwks
claim name from software_statement
. Claim name specified by softwareStatementValidationClaimName
configuration property.
4) softwareStatementValidationType=none, no validation.
Done in 4.2.1 and master.
Describe the issue
Currently if
software_statement
is provided to AS withoutjwks
orjwks_uri
claim it is rejected. There many problems with it:1) first of all JWT can use HMAC based algorithms with key which does not require JWKS. Openbanking has example on their page with HS512 alg. 2) We are not flexible on how to provide JWS outside of the statement (e.g. custom script).
We will provide both: a) configurable claims which can be forced if needed b) make jwks fetching via dynamic registration custom script.