[Openid-specs-ab] Issue #1164: insecure front-channel use of private_key_jwt client authentication (openid/connect)

Brian Campbell bcampbell at pingidentity.com
Tue Apr 21 13:10:07 UTC 2020

How did/does that work when client_assertion/client_assertion_type were
being tacked onto the authz request? Without reevaluating the bigger
approach, it sure seemed like client_assertion was trying to be used like a
signed request and so it seems like an actual signed request object should
just be a more appropriate replacement.

On Tue, Apr 21, 2020 at 12:57 AM Roland Hedberg <roland at catalogix.se> wrote:

> If we use signed request objects, do we mandate it for all authorization
> requests or just for the first one.

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200421/a1fd4b37/attachment.html>

More information about the Openid-specs-ab mailing list