Archived 2023.09.09. Refer to CDS, Security Endpoints, JWKS URIS
Question
We have multiple JWKS keys, but just one key with the PS256 algorithm. The kid
associated with this key is shared with other keys with different algorithms. Is this compliant?
Answer
No, sharing a kid
among multiple keys is not compliant.
CDS, Security Endpoints, JWKS URIS, states the following:
- Data Holders and Data Recipients JWK sets MUST NOT contain multiple keys with the same "kid"
The kid
value MUST be unique for each key in a set. The intent here is to avoid complexity for Accredite Data Recipients (ADRs) searching for keys which might otherwise be based on a Data Holder's bespoke implementation. ADRs can simply filter on kid
to find the key they require.
Comments
0 comments
Please sign in to leave a comment.