Where is `jwksURL` used?

[johnrogers]

Hello there,

I was wondering where exactly jwksURL is used in the library? We're trying to implement OAuth2 authentication (specifically, an implementation of single sign-on that allows our users to sign on via an IDP; the token exchange is PKCE -- we're implementing this for mobile devices), and upon reading our discovery document, the code seems to be telling us that jwks_uri is a required JSON key-value pair.

However, we're not going to need this key for our authentication process.

Upon looking through the library code (workspace search for - jwksURL, the getter for the value from the _discoveryDictionary), it does not look like jwksURL is used at all - it's read and then stored, then seemingly never accessed.

My question is: why is this a required key when it appears to never be used? Please correct me if I'm in the wrong here.

[WilliamDenniss]

It's required because the OpenID Discovery Doc requires it: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Perhaps it's excessive for AppAuth to require something that you rightly point out isn't used, even if the spec requires it.

In this particular case there is now an OAuth metadata spec (created after that class) where it's optional: https://tools.ietf.org/html/rfc8414#section-2

[WilliamDenniss]

#380 fixes this. Can you patch that in to your local copy and let me know if it works for you?

For the record, the reason this change is possible is because AppAuth also supports RFC 8414, otherwise that param would be REQUIRED.

[bendoppler]

Hi @WilliamDenniss and Wegi, can i ask about the progress of the fix? Do u plan to merge it to the project?