[Openid-specs-ab] Question about secret_type: JWT

John Bradley ve7jtb at ve7jtb.com
Thu Aug 25 04:39:02 UTC 2011


Yes the idea is to use JWS to avoid directly disclosing the secret as is done with basic in the symmetric key case.

OAuth dosent define a asymetric authentication to the token endpoint.

The plan was to define a JWT with a single claim of code that would be signed by the RP.

We should probably drop this or fully explain it.

John B.
On 2011-08-24, at 12:56 AM, Andreas Åkre Solberg wrote:

> REDIRECT-05 Section 3.1.5 mentions the secret_type JWT:
> 
>> If the secret_type is "basic", send the pre-shared secret. If the secret_type is "JWT", send the compact serialization of the JWT [JWT] Signature over the 'code'.
> 
> Is this method described somewhere in more details?
> 
> It says JWT signature, but there is no JSON input? Does it mean JWS signature over the code string?
> 
> Getting the consumer to sign something that the Provider presents, may be risky. May be not if a shared key is used, but if the consumer have a key-pair that it uses against multiple services. I'm thinking that the Provider can get a consumer to sign a code that the provider has received from a different provider; being able to impersonate the user.
> 
> Andreas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110824/f61eb021/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110824/f61eb021/attachment.p7s>


More information about the Openid-specs-ab mailing list