Sig1

Used by the TPP to sign requests sent to the OFP

(e.g. for signing the private-key-jwt, par request object etc)

OFP will use the public key in the OFTF JWKS to verify the signature

OFTF

TPP

TPP

TPP

None

TPP’s JWKS identified by the jwks_url for the client.

Hosted in OFTF

Sig2

Used by the OFP to sign responses sent to the TPP

This includes signed messages from the resource server and the signature on the id_token.

The TPP will use the public key in the JWKS to verify the signature

OFTF

Ozone

Ozone

LFI

Yes

LFI’s JWKS identified by the jwks_url in the OFP’s well-known endpoint.

Hosted in OFTF

Sig3

Used by the OFP to sign requests sent to the the LFI

OFP will use the public key in the JWKS to verify the signature

OFTF

Ozone

Ozone

LFI

Yes

LFI’s JWKS hosted in OFTF

Only required if one of these conditions is true:

• The LFI requires JWT Auth for Application Layer Authentication to Ozone Connect

• The LFI uses Client Credentials Grant for Application Layer Authentication to Ozone Connect and client authentication is set to private_key_jwt

Sig4

Used by the LFI to sign requests sent to OFP

LFI will use the public key in the JWKS to verify the signature

OFTF

LFI

Ozone (to assist LFI)

LFI

Yes

LFI’s JWKS hosted in OFTF

Only required if the LFI requires JWT Auth for Application Layer Authentication to CM and HH

Enc1

Used by the TPP to encrypt PII sent to the OFP that can only be read by the LFI

The PII payloads are signed using the LFI’s public key in the JWKS

The LFI decrypts them using their private key

OFTF

LFI

LFI

LFI

Yes

LFI’s JWKS identified by the jwks_url in the OFP’s well-known endpoint

Hosted in LFI’s JWKS on OFTF

Ozone can provide scripts to generate the CSR if requested by the LFI