Rule catalog · Auth discovery posture

Authorization server advertises a JWKS URI

auth_advertises_jwks_urilowweight 2Auth-required

Authored by Stanley Hong · AgentReserve (founder).

When authorization server metadata is discovered, it advertises a `jwks_uri` so clients can verify token signatures. Required for any authorization server issuing signed tokens.

When this rule runs

Only applies when the server signals that authentication is required (HTTP 401/403). Excluded from the score on public servers.

Why it matters

Without `jwks_uri` clients cannot fetch the keys needed to verify token signatures, which makes audience/issuer enforcement unreliable. RFC 8414 makes it REQUIRED for OpenID Connect deployments and strongly recommended otherwise.

Pass condition

At least one parsed authorization server metadata document advertises `jwks_uri`.

Fail condition

Authorization server metadata parsed but no `jwks_uri` was advertised.

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

```
{"jwksUris": []}
```

Remediation

Publish a JWKS document and advertise `jwks_uri` in your authorization server metadata.

Methodology

This rule belongs to the Auth discovery posture dimension. When authorization is required, whether the server cooperates with the standards-based discovery chain — RFC 9728 protected resource metadata, RFC 8414 authorization server metadata, validated issuers, and safe grant types.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog