10Eyl
Risks in using JWKS URL over OIDC discovery endpont?
Background
Hashicorp Vault provides an auth method to enable Kubernetes Pods to authenticate to Vault by configuring integration between a Kubernetes cluster and Vault.
Question
The docs recommend setting up OIDC discovery endpoint integration. My understanding is that this typically provides issuer validation to prevent impersonation attacks. However, the docs also offer a mechanism to enable integration via specifying jwks_url and bound_issuer. The bound issuer param states:
The value against which to match the iss claim in a JWT
Therefore, issuer validation can be achieved if configured for the JWKS URL option.
I'm trying to understand what other inherent risks exists when opting for this method over OIDC discovery endpoint?
