signed_jwks_uri and JWS type

[cicnavi]

In 5.2.1. Extensions for JWK Sets in Entity Metadata there is a description of 'signed_jwks_uri' which returns a signed JWT with JWKS and other specific claims...

I would expect that this signed JWT has a application/jwk-set+jwt type, but I don't see any mention of it.

Edit: to clarify, the question is - should this Signed JWKS have a typ header of jwk-set+jwt?

[vdzhuvinov]

JWTs that encapsulate JWK sets should be typed:

https://openid.net/specs/openid-federation-1_0.html#name-application-jwk-setjwt-medi

[cicnavi]

Ok, so "only" SHOULD? It's just that for (some) other JWSs it was explicitly noted in the JWS description. Also in the description of related HTTP responses it was noted about specific content type. Some examples:

Entity Statement JWTs MUST be explicitly typed, by setting the typ header parameter to entity-statement+jwt to prevent cross-JWT confusion, per Section 3.11 of [RFC8725].

A successful response MUST use the HTTP status code 200 with the content type application/entity-statement+jwt, to make it clear that the response contains an Entity Statement.

[vdzhuvinov]

Read my comment as written in conversational language. Not as formal normative text, to be put in the spec. 5.2.1 does seem to need a fix, to make the "typ" header requirement explicit to the reader. We made a conscious effort to have all Federation - related JWTs explicitly typed. Some early specs involving JWTs didn't spell out a typing for them, which may make them vulnerable to exploits in what is called cross-JWT confusion.

The section I linked to defines that signed JWK sets have a media type. Their JWTs thus take the media subtype as the "typ" header.

15.6. "application/jwk-set+jwt" Media Type

The application/jwk-set+jwt media type is used to specify that the associated content is a signed JWK Set, as defined in Section 8.7.2. No parameters are used with this media type.