Archived 2023.08.11. Content moved to Guidance on Client Authentication
What is the rationale for the Data Holder (DH) in providing JWKs URI in the enrolment form and for the DCR register? Shouldn't the information here be used by the Accredited Data Recipients (ADRs) to access the DH's JWKs instead of having a separate entry entirely?
The JWKs endpoint obtained during onboarding is published in the GetDataHolderBrands API. This is used for Client Authentication for DH to ADR communication. There is nothing preventing this endpoint from being the same as the one published in the OIDC Discovery document.
The rationale for having a separate endpoint configuration is so that outbound calls to the ADR can access different platform resources than the identity provider hosted by the DH. This configuration provides the flexibility to keep these systems separate if required.