[Openid-specs-ab] [openid/connect] client_secret as the HMAC key...? (issue #761)
issues-reply at bitbucket.org
Thu Feb 7 19:09:45 UTC 2013
--- you can reply above this line ---
New issue 761: client_secret as the HMAC key...?
Messages 4.3. Signing says tor "Symmetric Signatures ... the client and server MUST establish a shared secret out of band."
But isn't the shared secret intended to be the client_secret and shouldn't that be stated explicitly?
Step 6 in 5.2 ID Token Validation  says "If the alg parameter of the JWT header is a MAC based algorithm such as HS256, HS384, or HS512, the client_secret for the client_id contained in the aud (audience) Claim is used as the key to validate the signature.", which is consistent with client_secret as the MAC key. client_secret_jwt in 2.2.1. Client Authentication  does also.
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab