[Openid-specs-mobile-profile] Issue #155: aud to use in client_assertion passed to Backchannel Authentication Endpoint is murky? (openid/mobile)

Brian Campbell bcampbell at pingidentity.com
Tue May 21 12:03:49 UTC 2019 

FWIW there's some discussion in the comments of
https://bitbucket.org/openid/mobile/issues/155

On Mon, May 20, 2019 at 3:30 PM Hans Zandbelt <hans.zandbelt at zmartzone.eu>
wrote:

> I came across this on a similar note when implementing client
> authentication to the  (RFC 7009) token revocation endpoint and I'm
> interested in your views.
>
> Hans.
>
> On Mon, May 20, 2019 at 2:43 PM <josephheenan at bitbucket.org> wrote:
>
>> New issue 155: aud to use in client_assertion passed to Backchannel
>> Authentication Endpoint is murky?
>>
>> https://bitbucket.org/openid/mobile/issues/155/aud-to-use-in-client_assertion-passed-to
>>
>> Joseph Heenan:
>>
>> We came across what looks like an oddity whilst implementing tests; I’m
>> not sure if I’ve missed a specification or if there is something that could
>> benefit from clarification:
>>
>>  I can’t entirely figure out what the ‘aud’ value in a client assertion
>> to the backchannel authentication endpoint should be.
>>
>> The client assertion spec, [
>> https://tools.ietf.org/html/rfc7521#section-5.1](https://tools.ietf.org/html/rfc7521#section-5.1),
>> says:
>>
>> ```
>>  Audience
>>       A value that identifies the party or parties intended to process
>>       the assertion.  The URL of the token endpoint, as defined in
>>       Section 3.2 of OAuth 2.0 [RFC6749], can be used to indicate that
>>       the authorization server is a valid intended audience of the
>>       assertion
>> ```
>>
>>>>
>> [
>> https://openid.net/specs/openid-connect-core-1\_0.html#ClientAuthentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
>> doesn’t seem to add any clarity.
>>
>> By contrast, the CIBA request object is quite clear: “The Audience claim
>> MUST contain the value of the Issuer Identifier for the OP, which
>> identifies the Authorization Server as an intended audience.”
>>
>> The three possibilities for the audience for client assertion seem to be:
>>
>> 1. the token endpoint \(as RFC7521 says\)
>> 2. the backchannel authentication endpoint \(because that’s where the
>> assertion is being sent\)
>> 3. the issuer \(to match the CIBA request object\)
>>
>> The server I’m trying against \(Authlete\) seems to have interpreted it
>> as ‘2’.
>>
>>
>> _______________________________________________
>> Openid-specs-mobile-profile mailing list
>> Openid-specs-mobile-profile at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
>>
>
>
> --
> hans.zandbelt at zmartzone.eu
> ZmartZone IAM - www.zmartzone.eu
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
>


-- 
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Brian Campbell
Distinguished Engineer
bcampbell at pingidentity.com
w: +1 720.317.2061
c: +1 303.918.9415
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.pingidentity.com/content/ping/en/lp/d/p14e-trial.html>
<https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig>
<https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig>
<https://developer.pingidentity.com/en/signup.html>
<https://developer.pingidentity.com/en/signup.html>
<https://developer.pingidentity.com/en/signup.html>
<https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link>
<https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20190521/7947b970/attachment.html>

More information about the Openid-specs-mobile-profile mailing list