[Openid-specs-ab] Issue #1213: private_key_jwt, client_secret_jwt audience (openid/connect)
panva
issues-reply at bitbucket.org
Mon Mar 15 10:42:33 UTC 2021
New issue 1213: private_key_jwt, client_secret_jwt audience
https://bitbucket.org/openid/connect/issues/1213/private_key_jwt-client_secret_jwt-audience
Filip Skokan:
[https://openid.net/specs/openid-connect-core-1\_0.html#ClientAuthentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
> aud
> REQUIRED. Audience. The `aud` \(audience\) Claim. Value that identifies the Authorization Server as an intended audience. The Authorization Server MUST verify that it is an intended audience for the token. **The Audience SHOULD be the URL of the Authorization Server's Token Endpoint.**
The assertion, originally defined in [https://tools.ietf.org/html/rfc7523#section-3](https://tools.ietf.org/html/rfc7523#section-3)
> **The JWT MUST contain an "aud" \(audience\) claim containing a**
> **value that identifies the authorization server as an intended**
> **audience.** **The token endpoint URL of the authorization server**
> **MAY be used as a value for an "aud" element to identify the**
> **authorization server as an intended audience of the JWT.** The
> authorization server MUST reject any JWT that does not contain
> its own identity as the intended audience.
When considering the different endpoints these client assertions are used to authenticate at \(Token, Introspection, Revocation, PAR, CIBA, Device Authorization Grant\) the SHOULD on use of the token endpoint URL as audience is REALLY confusing for both AS implementers as well as RP implementers. There has to be a clearer definition value to use, one that makes sense. It does not make sense to use the token endpoint URL when authenticating at the revocation or CIBA endpoints.
The intention is to assert the identity of the AS \(again as per RFC7523 - The authorization server MUST reject any JWT that does not contain its own identity as the intended audience.\), for which we have the **Issuer Identifier**.
I suggest to include in the next Core 1.0 errata that
> The Audience SHOULD be Issuer Identifier and MAY be the URL of the Authorization Server's Token Endpoint.
More information about the Openid-specs-ab
mailing list