openid / SIOPv2

9 stars 2 forks source link

SIOPv2: Clarify "bare" JWK in sections 13 & 13.1 #10

Open OIDF-automation opened 2 years ago

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1543

Original Reporter: vdzhuvinov

The current sub_jwk spec says it MUST be a “bare” key in JWK format.

https://openid.net/specs/openid-connect-self-issued-v2-1_0-06.html#name-self-issued-id-token

I was wondering about what that means in practice. I’m also unsure how to interpret the “not an X.509 certificate value”. Is this to mean a JWK with only the mandatory"kty" and those params that define the public key material? Are SIOP and RP expected to check the key for certain things to make sure it conforms with this definition of “bare”?

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

good call-out. I think what was originally meant was sub_jwk is a JWK without x5c, x5u, x5t parameters. However, I don’t see the reason not to allow X.509 certificate values if the issuer/wallet is able to manage a cert per user. I am inclined to define sub_jwk in SIOP as a JWK. or replace it with RFC7800 cnf (Issue #1540)

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: vdzhuvinov

Thanks for the clarification! If there’s no imperative to have a “bare” JWK, then my suggestion is to simply remove that qualifier from the definition.

(whether it stays sub_jwk or becomes a cnf.jwk or JWT jwk header)

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

I am not sure what would be a use case for the user to use X.509 to sign a self-Issued ID Token.