Skip to content

Clarify key selection for client_metadata jwks #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Clarify key selection for client_metadata jwks #483

wants to merge 2 commits into from

Conversation

@deshmukhrajvardhan
Copy link
Contributor

@deshmukhrajvardhan deshmukhrajvardhan commented Apr 1, 2025
edited by Sakurann
Loading

PR Checkpoints

  • official html rendering, which is generated using mmark - Download it from the GitHub action tab, https://github.com/openid/OpenID4VP/pull//checks - by clicking on 'artifacts' and then 'output'
  • >=4 approvals OR >=2 if editorial PR
  • >=1 week since PR's final state
  • Only Chairs can merge the PR

Summary

Clarify key selection for client_metadata jwks like described in FAPI: https://openid.net/specs/openid-financial-api-part-2-1_0.html#duplicate-key-identifiers

Related Issue(s)

resolves #438

Special notes for your reviewer

Sakurann
Sakurann reviewed Apr 1, 2025
View reviewed changes
@Sakurann Sakurann requested review from awoie, bc-pi, c2bo and tplooker April 1, 2025 10:36
@Sakurann Sakurann added this to the Final 1.0 milestone Apr 2, 2025
@bc-pi
Copy link
Member

bc-pi commented Apr 3, 2025

Honestly not sure this works well with anticipated changes from #477

Sakurann
Sakurann reviewed Apr 5, 2025
View reviewed changes
openid-4-verifiable-presentations-1_0.md
Comment on lines +333 to +334
### Key Selection for `jwks` Client Metadata Parameter {#client_metadata_key_selection}
JWK sets SHOULD NOT contain multiple keys with the same `kid`. However, when there are multiple keys with the same `kid`, the verifier shall consider other JWK attributes, such as `kty`, `use`, `alg`, etc., when selecting the verification key for the particular JWS message.
Copy link
Collaborator

@Sakurann Sakurann Apr 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Key Selection for `jwks` Client Metadata Parameter {#client_metadata_key_selection}
JWK sets SHOULD NOT contain multiple keys with the same `kid`. However, when there are multiple keys with the same `kid`, the verifier shall consider other JWK attributes, such as `kty`, `use`, `alg`, etc., when selecting the verification key for the particular JWS message.
### Key Selection for `jwks` Client Metadata Parameter {#client_metadata_key_selection}
JWK sets SHOULD NOT contain multiple keys with the same `kid`. However, when there are multiple keys with the same `kid`, the verifier shall consider other JWK attributes, such as `kty`, `use`, `alg`, etc., when selecting the verification key for the particular JWS message.

@Sakurann
Copy link
Collaborator

Sakurann commented Apr 5, 2025

@bc-pi umm this is based on the feedback from the implementers who have implemented only response encryption (no JARM kind of signing at all) so i still think this PR is valuable regardless of #477

@bc-pi
Copy link
Member

bc-pi commented Apr 7, 2025

@bc-pi umm this is based on the feedback from the implementers who have implemented only response encryption (no JARM kind of signing at all) so i still think this PR is valuable regardless of #477

I think I was largly reacting to the text (now gone) that was borrowed from FAPI. But the "selecting the verification key for the particular JWS message" in this PR is in a new little section that is refrenced only from the context of the client_metadata/jwks param where it says "Public keys included in this parameter MUST NOT be used to verify the signature of signed Authorization Requests".

Admittedly I don't know specifically what that feedback from the implementers was but the text introduced here is incorrect so probably doesn't meaningfully address it.

bc-pi
bc-pi requested changes Apr 7, 2025
View reviewed changes
Copy link
Member

@bc-pi bc-pi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see prior comments #483 (comment) & #483 (comment)

@Sakurann Sakurann mentioned this pull request Apr 7, 2025
Closed
@Sakurann
Copy link
Collaborator

Sakurann commented Apr 7, 2025
edited
Loading

superseded by #477

@Sakurann Sakurann closed this Apr 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sakurann Sakurann Sakurann approved these changes

@bc-pi bc-pi bc-pi requested changes

@charsleysa charsleysa charsleysa approved these changes

@jogu jogu Awaiting requested review from jogu

@c2bo c2bo Awaiting requested review from c2bo

@tplooker tplooker Awaiting requested review from tplooker

@awoie awoie Awaiting requested review from awoie

Assignees

No one assigned

Labels

editors pending-close

Projects

None yet

Milestone

Final 1.0

Development

Successfully merging this pull request may close these issues.

Clarify key selection for client_metadata jwks

5 participants

@deshmukhrajvardhan @bc-pi @Sakurann @charsleysa