[Openid-specs-ab] Issue #1164: insecure front-channel use of private_key_jwt client authentication (openid/connect)

Joseph Heenan joseph at authlete.com
Tue Apr 21 14:39:31 UTC 2020

> On 21 Apr 2020, at 14:52, Roland Hedberg via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> It’s not specified.
> And I don’t think there is any difference if client_assertion/client_assertion_type or signed requests are used.
> Myself I’m on the side of Joseph; if your library can do it why not do it always.
> I guess the downside is that it is costly, both for the OP and the RP.
> So are there any security reason for always doing it ?

It has the advantage of preventing the request from being tampered with [to some extent, and if all the parameters are included inside the signed object], which is the main reason FAPI-RW requires signed requests always.

PAR has pretty much the same advantage without the complexity of signing the request. (Though arguably the difference in complexity between a signed request object & private_key_jwt client authentication is relatively minor given both require a JWT signed in the same way with the same key.)


More information about the Openid-specs-ab mailing list