Hello Jose, Hope you are well.
I am writing with regards to proposing a change to rfc7517. It appears that some identity providers are very purist, and do not return x5c. It's an optional field. Whilst other identity providers do provide the x5c certificate. The x5c certificate is extremely useful. It negates the need for a library or application to be able to translate the modulus and exponent. Many libraries do not support this natively, meaning custom code needs to be written in order to perform this translation of formats in order to provide a standardised, interoperable interface & more easily foster interoperability & federation between multiple IdPs. https://github.com/asoorm/tyk-go-plugins/blob/master/merge_jwks/merge_jwks.go#L143-L194 It would be great if you could consider making the x5c certificate mandatory for RSA public keys, or provide any guidance in this regard. For example, as an API Gateway, I need to be able to support obtaining JWT public keys from the jwks_uri. and if each IdP does it differently, then this puts the onus on the gateway to perform the translation, where it could be very easily implemented at the issuer of the certificate's side. Further, it will ensure separation of concerns, where the gateway doesn't need to perform these operations, because the required data is already presentable in a consistent format. The certificate issuer will only ever need to update the certificates upon rotation. But the client using them will need to perform the translation every time. With thanks Ahmet _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
