Archived 2023.08.11. Content moved to Guidance on Client Authentication
Question
What is the rationale for the Data Holder (DH) in providing JWKs URI in the enrolment form and for the DCR register? Shouldn't the information here be used by the Accredited Data Recipients (ADRs) to access the DH's JWKs instead of having a separate entry entirely?
Answer
The JWKs endpoint obtained during onboarding is published in the GetDataHolderBrands API. This is used for Client Authentication for DH to ADR communication. There is nothing preventing this endpoint from being the same as the one published in the OIDC Discovery document.
The rationale for having a separate endpoint configuration is so that outbound calls to the ADR can access different platform resources than the identity provider hosted by the DH. This configuration provides the flexibility to keep these systems separate if required.
See:
RegisterDataHolderAuth schema in GetDataHolderBrands descriptions issue #189
Comments
0 comments
Please sign in to leave a comment.