[Openid-specs-ab] [openid/connect] client_secret as the HMAC key...? (issue #761)

Brian Campbell issues-reply at bitbucket.org
Thu Feb 7 19:09:45 UTC 2013

--- you can reply above this line ---

New issue 761: client_secret as the HMAC key...?

Brian Campbell:

Messages 4.3. Signing[1] says tor "Symmetric Signatures ... the client and server MUST establish a shared secret out of band." 

But isn't the shared secret intended to be the client_secret and shouldn't that be stated explicitly? 

Step 6 in 5.2  ID Token Validation [2] says "If the alg parameter of the JWT header is a MAC based algorithm such as HS256, HS384, or HS512, the client_secret for the client_id contained in the aud (audience) Claim is used as the key to validate the signature.", which is consistent with client_secret as the MAC key. client_secret_jwt in 2.2.1. Client Authentication [3] does also.

[1] http://openid.net/specs/openid-connect-messages-1_0-15.html#sigs 
[2] http://openid.net/specs/openid-connect-messages-1_0-15.html#id.token.validation
[3] http://openid.net/specs/openid-connect-messages-1_0-15.html#client_authentication


This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.

More information about the Openid-specs-ab mailing list