I am ok with saying that the JWK must have keyed if there is more than one key and it SHOULD if there is only one.
Sent from my iPhone > On Mar 5, 2015, at 1:43 PM, Hannes Tschofenig <hannes.tschofe...@gmx.net> > wrote: > > Hi John, > > that's a good idea. However, the dynamic client registration should > state that the "kid" parameter is used and must be included in the JWK > (since the kid is an optional parameter). > > The key name is then the 'kid' plus the client id since the value of the > kid is not unique by itself. > > Ciao > Hannes > >> On 03/05/2015 12:54 PM, John Bradley wrote: >> For signing authentication requests you include the keyid in the JWT, and >> the AS looks in the JWKS to find the correct key if there is more than one. >> >> I don't think that is a problem >> >> What we probably need to do is pass a keyid in the request if there is more >> than one signing key registered for the client. >> >> John B. > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
