Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for JWKS #46

Open
awoie opened this issue Sep 25, 2019 · 6 comments
Open

Add support for JWKS #46

awoie opened this issue Sep 25, 2019 · 6 comments
Labels
enhancement New feature or request

Comments

@awoie
Copy link

awoie commented Sep 25, 2019
edited
Loading

JOSE/IETF specifications often use URIs that point to JSON Web Key Sets (JWKS), e.g., OpenID Connect. It would be great if we could find a way that allows a DID URL to be used in such a way. This could be either done by using matrix parameters, or something similar.

We could also limit the scope by just including public keys that have the publicKeyJWK type.

Is there a way to use DID URLs in such a way already?
@awoie
Copy link
Author

awoie commented Sep 26, 2019
edited
Loading

My did:example method specification could always say that an additional jwks section will be created and that all publicKeyJwk entries should be included in that section as follows:

{ 
   "@context":[ 
      "https://www.w3.org/2019/did/v1",
      "https://w3id.org/security/v1"
   ],
   "id":"did:example:123456789abcdefghi",
   "publicKey":[ 
      { 
         "id":"did:example:123456789abcdefghi#keys-1",
         "type":"RsaVerificationKey2018",
         "controller":"did:example:123456789abcdefghi",
         "publicKeyJwk": ...
      }
   ],
   "jwks":{ 
      "id":"did:example:123456789abcdefghi#jwks",
      "keys":[ 
         { 
            "alg":"RS256",
            "kty":"RSA",
            "use":"sig",
            "x5c":[ 
               "MIIC+DCCAeCgAwIBAgIJBIGjYW6hFpn2MA0GCSqGSIb3DQEBBQUAMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTAeFw0xNjExMjIyMjIyMDVaFw0zMDA4MDEyMjIyMDVaMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnjZc5bm/eGIHq09N9HKHahM7Y31P0ul+A2wwP4lSpIwFrWHzxw88/7Dwk9QMc+orGXX95R6av4GF+Es/nG3uK45ooMVMa/hYCh0Mtx3gnSuoTavQEkLzCvSwTqVwzZ+5noukWVqJuMKNwjL77GNcPLY7Xy2/skMCT5bR8UoWaufooQvYq6SyPcRAU4BtdquZRiBT4U5f+4pwNTxSvey7ki50yc1tG49Per/0zA4O6Tlpv8x7Red6m1bCNHt7+Z5nSl3RX/QYyAEUX1a28VcYmR41Osy+o2OUCXYdUAphDaHo4/8rbKTJhlu8jEcc1KoMXAKjgaVZtG/v5ltx6AXY0CAwEAAaMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUQxFG602h1cG+pnyvJoy9pGJJoCswDQYJKoZIhvcNAQEFBQADggEBAGvtCbzGNBUJPLICth3mLsX0Z4z8T8iu4tyoiuAshP/Ry/ZBnFnXmhD8vwgMZ2lTgUWwlrvlgN+fAtYKnwFO2G3BOCFw96Nm8So9sjTda9CCZ3dhoH57F/hVMBB0K6xhklAc0b5ZxUpCIN92v/w+xZoz1XQBHe8ZbRHaP1HpRM4M7DJk2G5cgUCyu3UBvYS41sHvzrxQ3z7vIePRA4WF4bEkfX12gvny0RsPkrbVMXX1Rj9t6V7QXrbPYBAO+43JvDGYawxYVvLhz+BJ45x50GFQmHszfY3BR9TPK8xmMmQwtIvLu1PMttNCs7niCYkSiUv2sc2mlq1i3IashGkkgmo="
            ],
            "n":"yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ",
            "e":"AQAB",
            "kid":"NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg",
            "x5t":"NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg"
         }
      ]
   }
}

Then, I will be able to resolve did:example:123456789abcdefghi#jwks to the final jwks. Is that correct @peacekeeper ?

@awoie
Copy link
Author

awoie commented Sep 26, 2019

Of course one downside would be interoperability. Service providers that rely on that feature would need to know which DID methods support JWKS but the same holds true for any other publicKey type.

@awoie
Copy link
Author

awoie commented Sep 26, 2019

If the example query above is not correct, could you provide an example of how the query could look like to get the jwks section in the DID Document?

@awoie
Copy link
Author

awoie commented Sep 26, 2019
edited
Loading

We could think about introducing DID method decorators. One such decorator could be to add this jwks section based on the publicKey section in the DID document. In this way, we could achieve some sort of interoperability. I could imagine that other decorators could make sense as well. Every DID method author could choose which decorators are supported by their DID method.

@peacekeeper
Copy link
Collaborator

Coming back to this topic, there has been an extension DID parameter called "transformKeys" for a while that can convert verification methods in DID documents to JWK, or an entire DID document to JWKS: https://github.com/decentralized-identity/did-spec-extensions/blob/main/parameters/transform-keys.md

@peacekeeper peacekeeper added the enhancement New feature or request label Aug 29, 2024
@pchampin
Copy link
Collaborator

This was discussed during the did meeting on 23 January 2025.

View the transcript

w3c/did-resolution#46

markus_sabadello: Could be supported by an optional flag. Would not be a DIDDoc, and the resolver would not return a DIDDoc. Flag could result in a JWK set in the dereferencing. Use cases in OpenID.

manu: +1 to providing an option. Resolvers may support it or not. Extension - not in the core spec. Having to define transformational algorithms would be needed.

ivan: Not sure why saying not a DID. A DID is a CID, and the CID allows you to do that. Should be valid DIDDoc.

<Zakim> JoeAndrieu, you wanted to say its easy to have a DID URL to return JWKs, but they cannot be canonical

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peacekeeper @pchampin @awoie