[JWT] Automatically discover JWKS url

[bennesp]

Many .well-known/openid-configurations also contain a jwks_uri field, indicating the URL where the server's JSON Web Key Set (JWKS) can be obtained

As of now we need to manually specify jwks_uri in the jwt authenticators section in oathkeeper configuration. It would be convenient if only the issuer(s) could be required, while JWKS would be automatically discovered

Are there some specific limitations for which this could not be possible?

[vinckr]

Hello @bennesp

Ory Oathkeeper does require the jwks_urls to be manually specified in the JWT authenticator configuration. This is where Ory Oathkeeper retrieves JSON Web Keys from for validating the JSON Web Token.
However, I do not know the specific reasons or limitations as to why automatic discovery of JWKS from the issuer is not supported. It could be due to a variety of reasons such as security considerations, design decisions, or technical constraints.

Can you elaborate a bit more on your usecase/why you think this should be a feature?

[bennesp]

Yes, sure.

Automatic discovery of JSON Web Key Sets (JWKS) from the issuer could enhance the user experience and also simplify the configuration process for developers. By allowing automatic discovery of JWKS from the issuer, developers wouldn't have to manually specify the JWKS URL. This simplifies the configuration process, because sometimes manual configuration can lead to errors, such as typos in URLs. As such, automatic discovery reduces the chance of misconfiguration, leading to more reliable authentication mechanisms.

Moreover, it could also be useful in dynamic environments. In dynamic environments, where instances are added/removed dynamically, automatic JWKS discovery could adapt to these changes seamlessly without requiring manual updates to the configuration, even though this use-case could be rarer.

From a security perspective, implementing proper security checks and validations during the automatic discovery process can mitigate risks. Since the users configure the issuer, if the issuer provides a secure endpoint for JWKS discovery, it would be as secure as manually configuring the issuer and the JWKS URLs from the beginning.

Furthermore, for particular use cases, automated JWKS discovery might be designed with additional security features, such as certificate pinning and time-based validity checks. Certificate pinning ensures that the authentication system only trusts specific certificates associated with the issuer, mitigating the risk of man-in-the-middle attacks. Time-based validity checks ensure that the fetched JWKS is current, reducing the impact of outdated or revoked keys, thus enhancing the system's resilience against unauthorized access attempts.

[scrohde]

I have a use case where using OpenID Provider Configuration Information would be very useful.

Using Amazon Cognito as Identity Provider in a multi-tenant (SaaS) application it is common to use one Cognito User Pool per tenant.

Each User Pool has its own 'issuer' claim and its own jwks URI.

So you can see, having to configure a list of jwks URIs is not convenient as every time a tenant is added or removed the set of URLs needs to be updated.

However, if Oathkeeper could fetch the jwks_uri from the OpenID configuration URL this use case automatically works.

Considering the configuration is part of the OIDC standard it seems like it would be good to support in Oathkeeper.