Closed andersk closed 2 months ago
aeneasr
commented
2 months ago Sorry, but this is nonsense. This endpoint is part of the OIDC spec.
edit:// It might not be explicitly in there, but it’s common practice to be under this URL for many auth servers. Changing this has no effect other than a breaking change and time and effort for everyone, while gaining nothing.
andersk
commented
2 months ago If the URL is not going to be changed, then it should be registered.
aeneasr
commented
2 months ago We are such a small project and don’t have the resources nor the connections to influence IANA. Please reach out to one of the many other players in the market, like Okta to formalize the endpoint: https://www.google.com/search?q=%22.well-known%2Fjwks.json
andersk
commented
2 months ago Okta uses /oauth2/v1/keys, not /.well-known/jwks.json. Example: https://example.okta.com/.well-known/openid-configuration → "jwks_uri":"https://example.okta.com/oauth2/v1/keys" and https://example.okta.com/.well-known/oauth-authorization-server → "jwks_uri":"https://example.okta.com/oauth2/v1/keys".
aeneasr
commented
2 months ago
Preflight checklist
Ory Network Project
No response
Describe the bug
Ory Hydra is using the
/.well-known/jwks.jsonURI, but this URI is not registered in the IANA well-known URIs registry. This violates a hard requirement of RFC 5785 that all/.well-known/URIs MUST be registered:This registration requirement is important to avoid colliding uses of
/.well-known/URIs with different semantics.Related:
Reproducing the bug
See https://www.ory.sh/docs/hydra/reference/api#tag/wellknown/operation/discoverJsonWebKeys and
https://github.com/ory/hydra/blob/57096be9befbde4a1436ef48338d253a248c91c4/jwk/handler.go#L32
Relevant log output
No response
Relevant configuration
No response
Version
2.2.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response