[Openid-specs-ab] Fwd: security implications of client_id or endpoint as "aud" in OpenID Provider Commands

Wed Apr 30 08:30:01 UTC 2025

Forwarding as Ralf is not on mail list

---------- Forwarded message ---------
From: Ralf Kuesters <ralf.kuesters at sec.uni-stuttgart.de>
Date: Wed, Apr 30, 2025 at 12:16 AM
Subject: Re: security implications of client_id or endpoint as "aud" in
OpenID Provider Commands
To: <Dick.Hardt at gmail.com>, Tim Würtele <tim.wuertele at sec.uni-stuttgart.de>,
Pedram Hosseyni <pedram.hosseyni at sec.uni-stuttgart.de>
CC: Michael Jones <michael_b_jones at hotmail.com>, Artifact Binding/Connect
Working Group <openid-specs-ab at lists.openid.net>,
fabian.hauck at sec.uni-stuttgart.de <fabian.hauck at sec.uni-stuttgart.de>

Dear Dick,

We briefly looked at the OpenID Provider Commands specification and
found it very interesting. Unfortunately, we cannot give any
well-founded assessment without doing a thorough analysis first, as,
based on our experience, it is very easy to overlook even simple attack
patterns.

However, we did notice two things:

1. In its current form, the OID Provider Commands draft does not seem to
detail how RPs validate command tokens. The abstract mentions that
'Command Tokens build on the OpenID Connect ID Token schema and
verification,' but, for example, checking the 'typ' header is not
required in OIDC. Also, the proposed change of adding a client_id claim
and changing the value of the aud claim does require different
validation rules for command tokens and ID tokens on the RP side.

2. To the best of our knowledge, none of the OIDC-related specifications
guarantee that an RP's Command Endpoint is different from its client_id.
Such a "collision" may be impossible for OP-issued random client_ids,
but in cases where the client_id is a URI, e.g., OpenID Federation, an
RP might, for some reason, choose to use that same URI as its Command
Endpoint.

Best,

Ralf, Fabian, Pedram, and Tim

On 17.04.25 16:49, Dick Hardt wrote:
> Hello!
>
> We are working on a new specification, OpenID Provider Commands.The
> commands are a JWT that is similar to an ID Token that have the same
> "iss" and same verification, and share identity claims. The OP sends
> command tokens to an RP.
>
> We want to ensure that a command token is not confused with an id token.
>
> Currently the spec has the same "aud" value in the command token as an
> id token -- the client_id value.
>
> We are considering setting the "aud" value to be the command_endpoint
> URL and to set the "client_id" claim to be the client_id value.
>
> https://github.com/openid/openid-provider-commands
> <https://github.com/openid/openid-provider-commands>
>
> https://github.com/openid/openid-provider-commands/issues/4
> <https://github.com/openid/openid-provider-commands/issues/4>
>
> Thanks in advance for your feedback and review!
>
> /Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250430/7f223176/attachment.htm>