>> It would’ve been nice if JWK could’ve agreed on a URL-based >> addressing format for individual keys within the set, but that ship’s sailed.
Using the fragment on a JWKS URL to indicate the key id would be good. Then a single URL by itself can identify a specific key. https://example.com/keys.jwks#2011-04-29 This would have worked particularly well if a JWKS was a JSON object with key-ids as the member names, instead of an array. That is presumably too late to fix. But defining the fragment format for application/jwk-set+json to be a kid value should be possible. If you put multiple keys with the same key-id in a JWKS you are asking for trouble -- just call that a non-interoperable corner for people to avoid. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth