In Connect these public keys are used to: 1 verify the signature of request objects (Signed Requests), something not in OAuth yet, and part of what the description calls higher level protocols. 2 encrypt the responses from the user_info endpoint or id_token (also not part of OAuth directly at this point)
3 validate requests to the token endpoint authenticated by the JWT assertion profile I think this is legitimate OAuth use. Whew for the PoP specs: 4 used to encrypt the symmetric proof key in a JWK sent to the client http://tools.ietf.org/html/draft-bradley-oauth-pop-key-distribution-01#page-7 5 used to provide a PoP key for the client to the AS as part of registration rather than passing the JWK on each request to the token endpoint. So the keys in the JWK can be used a number of ways by the AS. I think we could reference 3 and 4 as examples to be safe. John B. On Jul 8, 2014, at 3:04 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > Was there specific language that had been discussed to be added for this? If > not, could someone please create some? > > Thanks, > -- Mike > > -----Original Message----- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Tuesday, July 08, 2014 5:09 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Dynamic Client Registration: jwks / jwks_uri > > Hi all, > > in my earlier review I had noted that the semantic of the fields is > underspecified, i.e., it is not clear what these fields are used for. > > In private conversations I was told that an informal reference to a potential > use case will be added. I don't see such reference with version -18. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
