Retrieving the TLS cert to be bound to the token

[SachiniSiriwardene]

Request For Clarification

This query was initially raised in https://github.com/cdr-register/register/issues/56.
Raising it here again since an adequate response was not recieved.
How is the value for the KID computed in the JWKS? Is there any standard that should be followed?
Need to clarify this since the kid value is needed to obtain the TLS certificate in order to bind it to the token. (Holder of Key)
Also, is there a recommended format for the published jwks endpoint of the DR?

[jogu]

Are you talking about access tokens obtained from the token endpoint? As per https://tools.ietf.org/html/rfc8705 the token should be bound to the certificate presented at the token endpoint. All the relevant vendors already implement this as it's part of a FAPI-RW, it's not unique to CDR.

[CDR-API-Stream]

Hi @SachiniSiriwardene in addition to @jogu comments, can you please clarify the issue you're trying to resolve with the question "is there a recommended format for the published jwks endpoint of the DR?"

[SachiniSiriwardene]

I was under the impression that the tls cert will have to be obtained through the respective jwks endpoint of the ADR. Hence the question regarding the format of the jwks. @jogu thanks for the advice. I assume that the TLS cert then can be obtained from the request itself. I was in doubt about this since the method of authentication to the token endpoint in CDR is mentioned as pvt_key jwt.
@CDR-API-Stream In any case, since the jwks endpoints are expected to be hosted by the respective ADRs, is there a particular format for the json?

[CDR-API-Stream]

Hi @SachiniSiriwardene the relevant normative standard is RFC 7517 - JSON Web Key (JWK).

There are further details in the Dynamic Client Registration section of the CDR Register.

[CDR-API-Stream]

This issue has been closed as per the Data Standards Maintenance process. No further questions or comments have been received since an answer was provided.