Question
For the key selection algorithm when choosing encryption key from ADR's JWKS endpoint, how do Data Holders determine which key should be used to encrypt the ID token?
Different participants will have a different number of keys in a different order: used for signing, encryption, and different keys can have different parameters configured or not.
Answer
The signing and encryption algorithms that are available for use for various tokens are not mandated by the CDR standards. The accepted algorithms by DHs and ADRs are exchanged via the OIDC Discovery and Client Registration protocols respectively, according to the normative standards.
For instance, the id_token_encryption_alg_values_supported
field and id_token_encryption_enc_values_supported
field in OIDD are used to describe the capabilities of the DH and the id_token_encrypted_response_alg
(and similar fields) would be used during dynamic client registration for the ADR to select their preferred algorithm from this list.
Note that half of this process is defined in the Register design and this should be considered alongside the standards for a complete picture.
See Maintenance Issue 350
Comments
0 comments
Please sign in to leave a comment.