docs: clarify usage of OIDCPublicKeyFiles/OIDCPrivateKeyFiles

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

auth_openidc.conf

@@ -224,22 +224,23 @@
 # NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_method
 #OIDCProviderAuthRequestMethod [ GET | POST | PAR ]
 
-# The fully qualified names of the files that contain the PEM-formatted RSA/EC Public key or a X.509 certificates
-# that contain the RSA/EC public keys to be used for JWT (OP state/id_token) encryption by the OP.
-# One of these keys must correspond to the private keys defined in OIDCPrivateKeyFiles.
-# When not defined no encryption will be requested.
-# You can also prefix <filename> with a JWK key identifier to manually override the automatically
+# The fully qualified names of the files that contain a PEM-formatted RSA/EC Public key or a X.509 certificates
+# that contain the RSA/EC public keys to be used for (optional) signing and/or encryption e.g. private_key_jwt
+# authentication to the OPs token/introspection endpoint, id_token encryption by the OP, signed authentication
+# requests, signed JWT userinfo claims propagation, dPOP etc.
+# The value(s) defined must correspond to the private keys defined in OIDCPrivateKeyFiles.
+# One can prefix <filename> with a JWK key ("kid") identifier to manually override the automatically
 # generated "kid" that will be used for this key in the JWKs derived from this certificate and
 # published at OIDCClientJwksUri.
-# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption.
-# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign)
+# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for respectively signing or encryption only.
+# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign or enc)
+# When not defined no signing and/or no encryption will be possible.
 #OIDCPublicKeyFiles (["sig:"|"enc:"][<kid>#]<filename>)+
 
 # The fully qualified names of the files that contain the PEM-formatted RSA/EC private
-# keys that can be used to decrypt content sent to us by the OP.
-# These keys must correspond to the public keys defined in OIDCPublicKeyFiles.
-# When not defined no decryption will be possible.
-# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=enc)
+# keys corresponding to the public keys defined in OIDCPublicKeyFiles.
+# When not defined no signing and/or no encryption will be possible.
+# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign or enc)
 #OIDCPrivateKeyFiles (["sig:"|"enc:"][<kid>#]<filename>)+
 
 ########################################################################################
@@ -1052,6 +1053,7 @@
 #   url (string)                         : use this url instead of redirect_uri for request_uri
 #   request_object_type (string)         : parameter used for sending authorization request object
 #                                          "request_uri" (default) or "request"
+# OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set before this directive is applied.
 # NB: this can be overridden on a per-OP basis in the .conf file using the key: request_object
 #OIDCRequestObject <stringified-and-double-quote-escaped-JSON-object>