Open OIDF-automation opened 2 years ago
good call-out. I think what was originally meant was sub_jwk
is a JWK without x5c
, x5u
, x5t
parameters. However, I don’t see the reason not to allow X.509 certificate values if the issuer/wallet is able to manage a cert per user. I am inclined to define sub_jwk
in SIOP as a JWK. or replace it with RFC7800 cnf
(Issue #1540)
Thanks for the clarification! If there’s no imperative to have a “bare” JWK, then my suggestion is to simply remove that qualifier from the definition.
(whether it stays sub_jwk
or becomes a cnf.jwk
or JWT jwk
header)
I am not sure what would be a use case for the user to use X.509 to sign a self-Issued ID Token.
Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1543
Original Reporter: vdzhuvinov
The current
sub_jwk
spec says it MUST be a “bare” key in JWK format.https://openid.net/specs/openid-connect-self-issued-v2-1_0-06.html#name-self-issued-id-token
I was wondering about what that means in practice. I’m also unsure how to interpret the “not an X.509 certificate value”. Is this to mean a JWK with only the mandatory"kty" and those params that define the public key material? Are SIOP and RP expected to check the key for certain things to make sure it conforms with this definition of “bare”?