For the key selection algorithm when choosing encryption key from ADR's JWKS endpoint, how do Data Holders determine which key should be used to encrypt the ID token?
Different participants will have a different number of keys in a different order: used for signing, encryption, and different keys can have different parameters configured or not.
The signing and encryption algorithms that are available for use for various tokens are not mandated by the CDR standards. The accepted algorithms by DHs and ADRs are exchanged via the OIDC Discovery and Client Registration protocols respectively, according to the normative standards.
For instance, the
id_token_encryption_alg_values_supported field and
id_token_encryption_enc_values_supported field in OIDD are used to describe the capabilities of the DH and the
id_token_encrypted_response_alg (and similar fields) would be used during dynamic client registration for the ADR to select their preferred algorithm from this list.
Note that half of this process is defined in the Register design and this should be considered alongside the standards for a complete picture.
See Maintenance Issue 350