[Openid-specs-mobile-profile] Issue #120: CIBA: client authentication at the backchannel authentication endpoint (openid/mobile)

Takahiko Kawasaki issues-reply at bitbucket.org
Wed Nov 21 06:29:09 UTC 2018


New issue 120: CIBA: client authentication at the backchannel authentication endpoint
https://bitbucket.org/openid/mobile/issues/120/ciba-client-authentication-at-the

Takahiko Kawasaki:

*"7.1.1. Signed Authentication Request"* says that JWTs used as the value of the `request` request parameter _"MUST be secured with an **asymmetric** signature"_. This description makes me feel like confirming consensus on **client authentication** at the backchannel authentication endpoint.

Regarding client authentication at the backchannel authentication endpoint, *"7.1. Authentication Request"* says as follows.

> The Client MUST authenticate to the Backchannel Authentication Endpoint using the authentication method registered for its client_id, such as the authentication methods from Section 9 of [OpenID.Core] or authentication methods defined by extension in other specifications.

The client authentication methods listed in [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) of _"[OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)"_ are as follows (excluding `none`).

* `client_secret_basic`
* `client_secret_post`
* `client_secret_jwt`
* `private_key_jwt`

In addition, client authentication methods defined in _"[OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/)"_ are as follows.

* `tls_client_auth`
* `self_signed_tls_client_auth`

If signature algorithms for the `request` object are intentionally limited to **asymmetric** ones, is there any hidden consensus which prohibits client authentication methods using a **client secret** (which is a shared **symmetric** key)? Or hasn't it been discussed yet?

BTW, if a TLS-based client authentication method is used, `client_id` is needed as a request parameter, or some other means to identify the client ID is needed anyway.




More information about the Openid-specs-mobile-profile mailing list