[Openid-specs-fapi] Issue #244: FAPI-CIBA: Does "JWS/JWE Algorithm considerations" apply to Read-Only, too? (openid/fapi)

Takahiko Kawasaki issues-reply at bitbucket.org
Wed Jul 3 00:51:30 UTC 2019


New issue 244: FAPI-CIBA: Does "JWS/JWE Algorithm considerations" apply to Read-Only, too?
https://bitbucket.org/openid/fapi/issues/244/fapi-ciba-does-jws-jwe-algorithm

Takahiko Kawasaki:

“7.6 JWS/JWE Algorithm considerations” of the FAPI-CIBA profile says as follows.

> CIBA Authorization Servers and Clients shall follow the guidance around JWT signing and encryption Algorithms in \[FAPI2\] 8.6 and 8.6.1.

‌

In FAPI, JWS algorithm is checked only in the case of Read-and-Write. On the other hand, “5.2.1 Introduction” of the FAPI-CIBA profile says _“This profile applies to both Read-Only APIs and Read-and-Write APIs.”_ This makes room for ambiguity.

When a backchannel authentication request is judged as a request for FAPI Read-Only APIs, should the signature algorithm of the signed authentication request \(= the value of the `"request"` request parameter\) be checked?

Likewise, when a backchannel authentication request is for FAPI Read-Only APIs, should the signature algorithm of client assertion \(= the value of the `"client_assertion"` request parameter\) be checked?

In my opinion, signature algorithm should be checked only when a backchannel authentication request is judged as a request for FAPI Read-and-Write APIs.

To eliminate the ambiguity, the sentence in “7.6 JWS/JWE Algorithm considerations” should be followed by a constraint like _“when a backchannel authentication request is judged as a request for FAPI Read-and-Write APIs.”_ \(I hope native English speakers find a better wording.\)




More information about the Openid-specs-fapi mailing list