I'd say it's really an implementation detail. But I think both 1 or 2 would work. I'd probably opt for 1 because a JWK will always have the key while "x5t#S256" is optional so some more work needs to happen to ensure it is present and/or deal with it being absent.
This harks back to the question you raised in August last year[1] about weather the JWK x5c parameter was needed vs. just using the JWK's public key. I still kinda feel that matching on the key material is preferable but there was push-back on that. [1] https://www.ietf.org/mail-archive/web/oauth/current/msg17482.html On Tue, Mar 6, 2018 at 3:10 AM, Vladimir Dzhuvinov <[email protected]> wrote: > A question came up in a conversation with a developer: > > https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2.2.2 > > What should the AS do when authenticating a client when the client has > registered a JWK (jwks_uri) with a "x5t#S256" parameter instead of a "x5c"? > > > 1. Ignore the registered cert "x5t#S256" and match the key material of > the received cert with the key material of the registered JWK. > > 2. Match the registered cert "x5t#S256" with the "x5t#S256" of the > received cert. > > 3. Something else? > > > Thanks, > > Vladimir > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
