[Openid-specs-ab] Issue #1825: OpenID4VCI: client identification and authentication at the token endpoint (openid/connect)
Takahiko Kawasaki
issues-reply at bitbucket.org
Tue Feb 21 17:20:21 UTC 2023
New issue 1825: OpenID4VCI: client identification and authentication at the token endpoint
https://bitbucket.org/openid/connect/issues/1825/openid4vci-client-identification-and
Takahiko Kawasaki:
From Section 6.1. Token Request of the draft 11 of “OpenID for Verifiable Credential Issuance”.
> Requirements around how the Wallet identifies and, if applicable, authenticates itself with the Authorization Server in the Token Request depends on the Grant Type.
>
> For the Authorization Code Grant Type, the requirement as described in Sections 4.1.3 and 3.2.1 of \[[RFC6749](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#RFC6749)\] MUST be followed.
>
> For the Pre-Authorized Code Grant Type, authentication of the client is OPTIONAL, as described in Section 3.2.1 of OAuth 2.0 \[[RFC6749](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#RFC6749)\] and consequently, the "client\_id" is only needed when a form of Client Authentication that relies on the parameter is used.
The description in the above paragraphs about wallet \(client\) identification and authentication at the token endpoint is inappropriate.
Wallet \(client\) identification and authentication should depend on “client type” \(RFC 6749 Section 2.1\) and “client authentication method” \(“token\_endpoint\_auth\_method” client metadata\), not on “grant type”.
When the client type of the wallet \(client\) making a token request is “public” \(RFC 6749 Section 2.1\), the `client_id` request parameter is only needed.
On the other hand, when the client type of the wallet \(client\) making a token request is “confidential” \(RFC 6749 Section 2.1\), necessary parameters for client identification and authentication vary depending on the client authentication method.
| **client authentication method** | **identification** | **necessary parameters** |
| --- | --- | --- |
| `client_secret_basic` | The client ID encoded in the `Authorization` HTTP header | The `Authorization` HTTP header |
| `client_secret_post` | The `client_id` request parameter | The `client_id` request parameter and the `client_secret` request parameter |
| `client_secret_jwt` | The `iss` claim and the `sub` claim in the client assertion | The `client_assertion` request parameter and the `client_assertion_type` request parameter |
| `private_key_jwt` | The `iss` claim and the `sub` claim in the client assertion | The `client_assertion` request parameter and the `client_assertion_type` request parameter |
| `tls_client_auth` | The `client_id` request parameter | The `client_id` request parameter and an X.509 certificate of the client |
| `self_signed_tls_client_auth` | The `client_id` request parameter | The `client_id` request parameter and an X.509 certificate \(self-signed\) of the client |
The paragraphs in Section 6.1 should be rephrased.
cf. “[OAuth 2.0 Client Authentication](https://medium.com/@darutk/oauth-2-0-client-authentication-4b5f929305d4)”
More information about the Openid-specs-ab
mailing list