I'm gonna go out on a limb and guess/suggest that implicit in Annabelle's comment was an assumption that signing ATs and ID Tokens with different keys would be done to prevent token substitution/confusion. And there's not really a practical way to achieve that with the mechanics of the jwks_uri.
On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci <vittorio.bertocci= 40auth0....@dmarc.ietf.org> wrote: > *>§4 p3: The only practical way for the AS to sign ATs and ID Tokens with > different keys is to publish the keys in two different JWK sets. This only > way to do this today is by publishing separate OAuth 2.0 authorization > server metadata and OIDC Discovery metadata files, where the JWK set in the > former applies to access tokens and the JWK set in the latter applies to ID > Tokens.* > > Hmm, I don’t follow. The OIDC jwks_uri can contain multiple keys, and they > all can be used for signing. What prevents the AS to use one key from that > list for IDtokens and another for ATs? Separate discovery docs shouldn’t be > necessary. Sure, there would be no way for the RS to know what key is used > for what- but similar mechanisms are already in place today for handling > signing key rotation: e.g. the discovery doc lists the current key and the > future key, but uses only the current- and the RS has no way of > distinguishing between the two. The situation here can be analogous, any > key in the discovery doc should be considered valid by the RS, and in fact > there’s no requirement about selecting specific keys in the validation > section. That doesn’t mean this is useless, an AS might elect to use > different keys for its own purposes (eg separation of concerns for > forensics, different strengths, different lifecycles, and so on). > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
