Stream: cds hooks
Topic: JWKS URL Whitelist
Josh Mandel (May 24 2018 at 23:19):
We're working through security specs on the Backend Services API and trying to document the client-specific JWKS URL whitelist that a given client would register with a server at registration time. Among the community here: are there real use cases for having more than a single JWKS URL? Or is a single optional URL (rather than a list of URLs) good enough?
Kevin Olbrich (May 25 2018 at 00:32):
I can't think of one. Since a JWKS can contain multiple keys it's possible to use a different one for each service provided without difficulty.
Kevin Shekleton (May 25 2018 at 13:41):
What are the use cases being articulated in the Backend Services community in which a client would have multiple JWK Set URLs?
Josh Mandel (May 25 2018 at 14:17):
We don't have use cases for this. We just translated "whitelist" to a list of URLs; but if we can restrict to a single URL per client, we will.
Josh Mandel (May 25 2018 at 14:17):
I'm making this change now.
Last updated: Apr 12 2022 at 19:14 UTC
