made it possible to retrieve keys using publisher's `sub` as well

README.md

@@ -20,7 +20,7 @@ issuer components are these:
 api:                    api.:hostname
 authorization_dialog    #/authorization_dialog
 logout                  #/logout
-create_jwk:             :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub
+publish_jwk:            :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub
 retrieve_jwk:           :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub/:kid.json
 grants:                 :scheme//:hostname/api/issuer@oauth3.org/grants/:sub/:azp?
 credential_meta:        :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
@@ -40,9 +40,9 @@ And here are some others that are useful, but could be implemented differently
 without breaking the protocol.
 
 ```
-credential_create: :scheme//:hostname/api/issuer@oauth3.org/logins
+credential_create:  :scheme//:hostname/api/issuer@oauth3.org/logins
-credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
+credential_meta:    :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
-credential_otp: :scheme//:hostname/api/issuer@oauth3.org/otp
+credential_otp:     :scheme//:hostname/api/issuer@oauth3.org/otp
 ```
 
 subject
@@ -72,7 +72,7 @@ devices. This requires having a place to store the public half of those keys
 on a server that can then server the public keys to resource providers for
 signature verification.
 
-### Saving a JWK ###
+### Publishing a JWK ###
   * **URL** `:scheme//:hostname/api/issuer@oauth3.org/jwks/:sub`
   * **Method** `POST`
   * **Url Params**

jwks.js

@@ -43,18 +43,27 @@ function create(app) {
         return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
       }
 
-      return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
+      // First we check to see if the key is being requested by the `sub` that we as the issuer use
-        if (!results.length) {
+      // to identify the user, and if not then we need to look up the specified `sub` to see if
-          throw new OpErr("unknown PPID '"+req.params.sub+"'");
+      // we can determine which (if any) account it's associated with.
-        }
+      return store.IssuerOauth3OrgJwks.get(req.params.sub+'/'+req.params.kid).then(function (jwk) {
-        if (results.length > 1) {
+        if (jwk) {
-          // This should not ever happen since there is a check for PPID collisions when saving
+          return jwk;
-          // grants, but it's probably better to have this check anyway just incase something
-          // happens that isn't currently accounted for.
-          throw new OpErr('PPID collision - unable to safely retrieve keys');
         }
 
-        return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
+        return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
+          if (!results.length) {
+            throw new OpErr("unknown PPID '"+req.params.sub+"'");
+          }
+          if (results.length > 1) {
+            // This should not ever happen since there is a check for PPID collisions when saving
+            // grants, but it's probably better to have this check anyway just incase something
+            // happens that isn't currently accounted for.
+            throw new OpErr('PPID collision - unable to safely retrieve keys');
+          }
+
+          return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
+        });
       });
     }).then(function (jwk) {
       if (!jwk) {
@@ -103,4 +112,5 @@ function create(app) {
   };
 }
 
+module.exports.thumbprint = thumbprint;
 module.exports.create = create;