Add support for the JWK Thumbprint subject syntax type

[nanderstabel]

Description

The JWK Thumbprint subject syntax type is a type of Subject Syntax Type used in the Self-Issued OpenID Provider (SIOP) protocol flow. In this syntax type, the sub (subject) claim value in the ID Token issued by the Self-Issued OP is the base64url encoded representation of the JWK thumbprint of the key in the sub_jwk (subject key) claim. The sub_jwk claim is included in the Self-Issued Response and contains the public key used by the Self-Issued OP to sign the ID Token.

This syntax type allows the Relying Party (RP) to verify the signature on the ID Token using the JWK thumbprint of the key, without having to retrieve the JWK set from the Self-Issued OP. The JWK thumbprint is a compact representation of the public key and can be used as a unique identifier for the key. This approach reduces the size of the SIOP request and response messages and simplifies the processing for the RP.

Motivation

The JWK Thumbprint subject syntax type is a mandatory requirement for compliant implementation of the Self-Issued OpenID Provider (SIOP) protocol, as described in the SIOPv2 specification. Therefore, adding support for this subject syntax type will ensure that this SIOP library is compliant with the latest standards and can interoperate with other compliant SIOP implementations.

Resources

SIOPv2 JWK Thumbprint JWK Thumbprint specification

To-do List

• [ ] Add the JWKThumprint SubjectSyntaxType as a method of signing the SIOP Response (by the Provider)
• [ ] Add ability for the RelyingParty to validate a SIOP Response