[Openid-specs-mobile-profile] Issue #203: MTLS aliases ambiguity in private_key_jwt client authentication (openid/mobile)

Joseph Heenan issues-reply at bitbucket.org
Tue Jun 8 21:12:55 UTC 2021


New issue 203: MTLS aliases ambiguity in private_key_jwt client authentication
https://bitbucket.org/openid/mobile/issues/203/mtls-aliases-ambiguity-in-private_key_jwt

Joseph Heenan:

The CIBA spec says \(on the topic of the `aud` for private key jwt client authentication assertions\):

>  To facilitate interoperability, the OP MUST accept its Issuer Identifier, Token Endpoint URL, or Backchannel Authentication Endpoint URL as values that identify it as an intended audience.

The certification team just ran into an OP that rejects it’s non-mtls token endpoint url as the audience for an assertion used at the mtls backchannel authentication endpoint and hence failed a test. I’m unsure what’s the correct way to combine the above text with aliases defined in [https://datatracker.ietf.org/doc/html/rfc8705#section-5](https://datatracker.ietf.org/doc/html/rfc8705#section-5) so it seems there’s perhaps a remaining ambiguity.

‌



More information about the Openid-specs-mobile-profile mailing list