Sure. One use case that's fully specified and has been demonstrated to produce
interoperable implementations is the OpenID Connect use case. You can read the
key management instructions for that use case at
http://openid.net/specs/openid-connect-messages-1_0.html#sigenc. Note that
this uses discovery to determine the algorithms supported by the server using
the discovery fields at
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata and
uses client registration
http://openid.net/specs/openid-connect-registration-1_0.html (which is based on
the OAuth Dynamic Client Registration spec) to exchange algorithm and key
information.
I know that Dick Hardt has a different key management scheme that's used in the
British Columbia Government identity system. Maybe he would like to describe
that as well.
I'm sure that the Mozilla Persona system has to have one too. (I think it's a
simple one based on domain names, but I'm not an expert here.)
Cheers,
-- Mike
From: Jim Schaad [mailto:[email protected]]
Sent: Thursday, April 18, 2013 10:21 PM
To: Mike Jones
Cc: [email protected]
Subject: RE: [jose] OAUTH and implicit key identifiers
Ok - I have read through this document - my gut feeling is that I understood
enough about OAuth to comment I would create a massive mail message of comments.
This does not make it clear to me how this would work. After several reads of
the document my best guess is that one says - If you go digging through the
content of the message then you might find something that will give you a hint
about what key to use when combined with your database.
Do you have any better cases that make it clear how this is supposed to work?
Jim
From: Mike Jones [mailto:[email protected]]
Sent: Thursday, April 18, 2013 6:56 PM
To: Jim Schaad
Cc: [email protected]<mailto:[email protected]>
Subject: RE: [jose] OAUTH and implicit key identifiers
In http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-09, see the definition
of "jwks_uri", which enables the client's JWK Set document to be communicated
to the OAuth server out of band from the JWTs (and JOSE objects underlying
them) later used. Also see "token_endpoint_auth_method" and especially the
"client_secret_jwt" and "private_key_jwt" authentication methods.
-- Mike
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Jim Schaad
Sent: Thursday, April 18, 2013 2:49 PM
To: Mike Jones
Cc: [email protected]<mailto:[email protected]>
Subject: [jose] OAUTH and implicit key identifiers
Mike,
I have tried to go through the OAuth documents in order to find where and how
they have implicit key identifiers set up for tokens. I was unable to find
this. Can you please give me a concrete pointer to where this text is?
Jim
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
