[Openid-specs-ab] Issue #1164: insecure front-channel use of private_key_jwt client authentication (openid/connect)

Roland Hedberg roland at catalogix.se
Tue Apr 21 06:56:54 UTC 2020



> On 20 Apr 2020, at 19:09, Brian Campbell via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> 
> 
> On Mon, Apr 20, 2020 at 10:27 AM Joseph Heenan via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> Hi all,
> 
>> On 20 Apr 2020, at 16:13, Roland Hedberg via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
>> 
>> To distinguish our variant from the OIDC Core one in the specification we demand that aud is set to be the authorisation endpoint of the OP. We also ask for the iss and sub claims to be the entity ID of the RP. Furthermore we expect jti to be used to prevent reuse.
> 
> I can’t see any of those requirements mentioned when describing the authentication endpoint authentication at https://bitbucket.org/openid/connect/src/default/openid-connect-federation-1_0.xml#lines-2085 <https://bitbucket.org/openid/connect/src/default/openid-connect-federation-1_0.xml#lines-2085> - is that mentioned somewhere else?
> 
> I was going to ask/say the same thing because I couldn't find it either. 
>  
> 
> 
> This is the problem we need to solve. If we can’t use a client authentication method like the one private_key_jwt represents
>> 
>> what other alternatives are there ?
> 
> A signed request object, passed by value, would achieve the same goal of showing control of the private key I think?
> 
> A signed request object seems much more appropriate. 

If we use signed request objects, do we mandate it for all authorization requests or just for the first one.

If one uses explicit dynamic registration you do the registration and then you do authorization requests 
using any of the available methods until the registration runs out.

Using the same ‘model’ for automatic client registration you would only have to use a signed request object
when you needed to ‘register’.

— Roland

It is curious that physical courage should be so common in the world, and moral courage so rare. -Mark Twain, author and humorist (30 Nov 1835-1910)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200421/8c115057/attachment.html>


More information about the Openid-specs-ab mailing list