The JWK Thumbprint subject syntax type is a type of Subject Syntax Type used in the Self-Issued OpenID Provider (SIOP) protocol flow. In this syntax type, the sub (subject) claim value in the ID Token issued by the Self-Issued OP is the base64url encoded representation of the JWK thumbprint of the key in the sub_jwk (subject key) claim. The sub_jwk claim is included in the Self-Issued Response and contains the public key used by the Self-Issued OP to sign the ID Token.
This syntax type allows the Relying Party (RP) to verify the signature on the ID Token using the JWK thumbprint of the key, without having to retrieve the JWK set from the Self-Issued OP. The JWK thumbprint is a compact representation of the public key and can be used as a unique identifier for the key. This approach reduces the size of the SIOP request and response messages and simplifies the processing for the RP.
Motivation
The JWK Thumbprint subject syntax type is a mandatory requirement for compliant implementation of the Self-Issued OpenID Provider (SIOP) protocol, as described in the SIOPv2 specification. Therefore, adding support for this subject syntax type will ensure that this SIOP library is compliant with the latest standards and can interoperate with other compliant SIOP implementations.
Description
The JWK Thumbprint subject syntax type is a type of Subject Syntax Type used in the Self-Issued OpenID Provider (SIOP) protocol flow. In this syntax type, the sub (subject) claim value in the ID Token issued by the Self-Issued OP is the base64url encoded representation of the JWK thumbprint of the key in the
sub_jwk(subject key) claim. Thesub_jwkclaim is included in the Self-Issued Response and contains the public key used by the Self-Issued OP to sign the ID Token.This syntax type allows the Relying Party (RP) to verify the signature on the ID Token using the JWK thumbprint of the key, without having to retrieve the JWK set from the Self-Issued OP. The JWK thumbprint is a compact representation of the public key and can be used as a unique identifier for the key. This approach reduces the size of the SIOP request and response messages and simplifies the processing for the RP.
Motivation
The JWK Thumbprint subject syntax type is a mandatory requirement for compliant implementation of the Self-Issued OpenID Provider (SIOP) protocol, as described in the SIOPv2 specification. Therefore, adding support for this subject syntax type will ensure that this SIOP library is compliant with the latest standards and can interoperate with other compliant SIOP implementations.
Resources
SIOPv2 JWK Thumbprint JWK Thumbprint specification
To-do List
SubjectSyntaxTypeas a method of signing the SIOP Response (by theProvider)RelyingPartyto validate a SIOP Response