On Tue, Jul 12, 2022 at 09:46:01PM +0200, Warren Parad wrote: > I don't know if this is relevant, but jwks.json isn't registered, because > it doesn't have to be at that location. The > /.well-known/openid-configuration discovery document, which is registered, > uses the jwks_uri property to specify the location of the jwks. For > instance, our product doesn't have the jwks at /.well-known/jwks.json for a > lot of different reasons. Having a discovery document that points to your > jwks makes sense, ideally you would be able to use the known discovery > document at /openid-configuration, but I don't know if that is viable or > makes sense for your context.
Hmm, perhaps we need to give stronger guidance to site operators that the contents of /.well-known/* belong to "the protocol" and that they pick arbitrary new (unregistered) names their at their own risk. (If "you" are serving content at /.well-known/jwks.json and I go register that URI with different semantics, clients that know about my new and try it against "your" server will encounter unexpected behavior.) (I assume that you, Warren, don't control the baeldung.com pages.) -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
