In our OIDC specs, we stated that client JWKS endpoints need to be publicly accessible by any traffic. This means that any person or machine connected to the internet should be able to access your JWKS endpoint without restriction (think google.com).
If this is a concern for your organisation, you can simply opt for the alternative of hosting the JWKS object with us. This can be done by updating your app on the Singpass Developer Portal.
Comments
0 comments
Please sign in to leave a comment.