[Openid-specs-ab] Issue #1314: signed request for client authentication and proof of posessions of key material (openid/connect)
Edmund Jay
issues-reply at bitbucket.org
Thu Aug 19 09:13:25 UTC 2021
New issue 1314: signed request for client authentication and proof of posessions of key material
https://bitbucket.org/openid/connect/issues/1314/signed-request-for-client-authentication
Edmund Jay:
Comments from TL regarding for [pull request #39](https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca)
[https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-236569518](https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-236569518)
signed requests are defined and used for client authentication - it seems you want to use it for proof of possession of the holder’s key material.
How does the OP determine which mode the client wants to use?
How is the client authenticated if the signed request is used for other purposes?
[https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238240292](https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238240292)
Defining how client authentication and proof of possession \(for holders\) works is a fundamental topic for this PR. I would prefer to discuss and solve it here. In my opinion, proof of possession should use a separate, new parameter in order to decouple both aspects and preserve integrity of client authentication and OIDC signed requests. The holder could, for example, sign the nonce value. This would also provide replay protection.
More information about the Openid-specs-ab
mailing list