[Openid-specs-ab] Issue #1548: [security] request_authentication_signing_alg_values_supported - disambiguation text (openid/connect)
peppelinux
issues-reply at bitbucket.org
Tue Jul 12 21:59:58 UTC 2022
New issue 1548: [security] request_authentication_signing_alg_values_supported - disambiguation text
https://bitbucket.org/openid/connect/issues/1548/security
Giuseppe De Marco:
in “[4.2. OP Metadata](https://openid.bitbucket.io/connect/openid-connect-federation-1_0.html#rfc.section.4)“, the text related to `request_authentication_signing_alg_values_supported` cites
> OPTIONAL. JSON array containing a list of the JWS signing algorithms \(alg values\) supported for the signature on the JWT [\[RFC7519\]](https://openid.bitbucket.io/connect/openid-connect-federation-1_0.html#RFC7519) used to authenticate the request using the private\_key\_jwt and request\_object authentication methods. This entry MUST be present if either of these authentication methods are specified in the request\_authentication\_methods\_supported entry. No default algorithms are implied if this entry is omitted. Servers SHOULD support RS256. The value none MUST NOT be used.
This is something clear to whom already knows that private\_key\_jwt is usable with PAR but it could represent a security issue if a reader may consider to use private\_key\_jwt in AR, because this can be sniffed in a browser and reused to a token endpoint \(if PKCE is not enabled\). May we consider to add a note that explian request\_object → for AR, and private\_key\_jwt → for PAR, to avoid possibile security issues in the new implementations?
that’s why in the request object we must omit the sub claim, to prevent that this request object could be stolen and reused as a private\_key\_jwt. Am I mistaken?
More information about the Openid-specs-ab
mailing list