Public key in JWT #44

bc-pi · 2024-04-09T22:38:43Z

Please consider using the jwk header parameter to convey the public key in the JWT sent by the browser. That would better leverage existing standards, be similar to how DPoP did much the same thing: https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-proof-jwt-syntax, and remove ambiguity of "key": "public key", in the current example.

The text was updated successfully, but these errors were encountered:

arnar · 2024-04-10T06:24:59Z

Thanks. Just to check: The jwk header field is only meant to hold a key for which the JWT itself is signed with, correct?

That works fine here because the registration is self-signed, but if it ever wasn't (e.g. if we added cross-signing between sessions at some point) would it still make sense?

bc-pi · 2024-04-10T18:31:30Z

Thanks. Just to check: The jwk header field is only meant to hold a key for which the JWT itself is signed with, correct?

Yes. That's from https://www.rfc-editor.org/rfc/rfc7515#section-4.1.3

That works fine here because the registration is self-signed, but if it ever wasn't (e.g. if we added cross-signing between sessions at some point) would it still make sense?

It's hard to say in the abstract or hypothetical but wouldn't it make sense to figure out how that would work and define it when/if such a thing was added?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Public key in JWT #44

Public key in JWT #44

bc-pi commented Apr 9, 2024

arnar commented Apr 10, 2024

bc-pi commented Apr 10, 2024

Public key in JWT #44

Public key in JWT #44

Comments

bc-pi commented Apr 9, 2024

arnar commented Apr 10, 2024

bc-pi commented Apr 10, 2024