From b7b5dd53bf8ef2821e508804c585c785619fc7e9 Mon Sep 17 00:00:00 2001 From: Olivier 'reivilibre Date: Tue, 2 Dec 2025 12:22:33 +0000 Subject: [PATCH] Convert use case list to bullet points and note the niche private_key_jwt method --- docs/reference/configuration.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md index 5b40e8370..2f2956451 100644 --- a/docs/reference/configuration.md +++ b/docs/reference/configuration.md @@ -238,9 +238,12 @@ The following key formats are supported: - PKCS#8 PEM or DER-encoded RSA or ECDSA private key, encrypted or not - SEC1 PEM or DER-encoded ECDSA private key -The signing keys are used for signing ID Tokens (as returned in the [Token Endpoint] -at `/oauth2/token`) and for signing the response of the [UserInfo Endpoint] at -`/oauth2/userinfo` if the client requests a signed response. +The signing keys are used for: +- signing ID Tokens (as returned in the [Token Endpoint] at `/oauth2/token`); +- signing the response of the [UserInfo Endpoint] at `/oauth2/userinfo` if the + client requests a signed response; +- (niche) signing a JWT for authenticating to an upstream OAuth provider when + the `private_key_jwt` client auth method is configured. At a minimum, an RSA key must be configured in order to be compliant with the [OpenID Connect Core specification][oidc-core-rs256] which specifies the RS256 algorithm