RemoteJWKSets should follow 301 redirects

[jespertheend]

I'm getting the jwks url from the OpenID configuration file from facebook (https://www.facebook.com/.well-known/openid-configuration) which has "https://facebook.com/.well-known/oauth/openid/jwks/" set as value for jwks_uri. however this url 301 redirects to the www. subdomain, causing jose to throw an error: JOSEError: Expected 200 OK from the JSON Web Key Set HTTP response.

There's a couple of things I can do:

• Ask facebook to not redirect or change the value of jwks_uri to include www. though I don't think Facebook is actually violating any spec here, and a related issue ended up not getting fixed either (https://developers.facebook.com/support/bugs/347371913710660/) so I don't think this will end up getting changed.
• Hardcode the url to https://www.facebook.com/.well-known/oauth/openid/jwks/, but this makes it less future-proof and makes it more difficult to add new supported issuers.
• Implement redirect support in jose.

Currently redirects are explicitly disabled at:

jose/src/runtime/browser/fetch_jwks.ts

Line 14 in 88eee00

redirect: 'manual',

Is there a reason for this?
The nodejs version of fetch_jwks.ts requires a bit more work to support redirects but should still be straight forward if you're willing to turn it into a recursive function.

[panva]

I've not had any redirection following allowed in openid-client for years now and Facebook has just recently rolled this out and has not certified their implementation to be in conformance with any of the OIDC profiles.

Facebook's discovery mechanism in itself is not conform because it redirects in the first place. If the issuer identifier is https://facebook.com its discovery document URL that is normatively required to return a 200 OK response should be at https://facebook.com/.well-known/openid-configuration. But it in fact redirects to a www. subdomain.

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse

A successful response MUST use the 200 OK HTTP status code

I am aware that is for the discovery document itself, not the jwks_uri specifically, so, can you find a normative language or a WG discussion stating that HTTP 3xx Status Code responses with a Location header either MAY be returned or SHOULD be followed for the jwks_uri JWK Set document?

[jespertheend]

I wasn't able to find any normative references to http redirects in any of the OpenID specs. Actually the link you referenced is the closest to normative language about redirects I've seen so far.
I'm not very familiar with the usage of keywords used for Requirement Levels, so at first I figured that the use of 'uri' would imply that redirects should be supported. But the lack of MAY and SHOULD seems to suggest this behaviour is entirely undefined.

I'll open another ticket with Facebook and hopefully they'll be able to change this. For now I've simply hard coded the jwks_uri.

[jespertheend]

Created https://developers.facebook.com/support/bugs/256639136274824/