I would expect the RS would only have one or two keys that it has published for encryption.
I would expect the encryptor to provide a key ID “kid” if the RS has published
more than one key (eg for key rotation) and they probably should anyway unless
size is unusually constrained.
See JWE 4.1.6
The number of AS is not relevant for encryption to the RS unless you are using
symmetric keys, and in that case there is likely only one key per AS (iss) so
iss should be sufficient.
John B.
> On Mar 13, 2016, at 5:44 PM, Mike Schwartz <m...@gluu.org> wrote:
>
> I like the idea of an encrypted JWT... I guess if there are multiple AS's,
> how would you know which key to use? Cycle through each key? Are you
> suggesting maybe use a non-encrypted JWT that contains an encrypted JWT as a
> value? Something like
>
> {"iss": "https://example.com";,
> "token": "fjbfgy5Fdx8ybx0.."
> }
>
> Are there any OAuth2 profiles to standardize this approach?
>
> - Mike
>
>
> --------------------------
>
> Michael Schwartz
> Gluu
> Founder / CEO
> m...@gluu.org
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
