[Openid-specs-ab] Key-binding and dpop scope

[george at practicalidentity.com]

My thought is that might depend on whether the ‘cnf’ scope is only applied to the id_token or whether cnf claims should be added to other issued tokens as well. Currently the proposed key-binding spec is specific to id_tokens. 

George Fletcher
Identity Standards Architect
Practical Identity LLC



> On Aug 29, 2025, at 12:56 PM, Dag Helge Østerhagen via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> I like «id_token_cnf», but wouldn’t just «cnf» be more aligned with other oidc scopes?
> 
> /dag
> From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on behalf of george--- via Openid-specs-ab <openid-specs-ab at lists.openid.net>
> Sent: Friday, August 29, 2025 6:14:16 PM
> To: Dick Hardt <dick.hardt at hello.coop>
> Cc: george at practicalidentity.com <george at practicalidentity.com>; Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
> Subject: Re: [Openid-specs-ab] Key-binding and dpop scope
>  
> That makes sense to me; including ‘cnf’ in the scope name. Would we ever want to allow the “key binding” mechanism to use something other than DPoP? If so, and the express purpose is to provide key binding for the id_token, then I’d recommend something like ‘id_token_cnf’.  It’s specific, clear and doesn’t preclude methods other than DPoP to provide the necessary data for the cnf claim.
> 
> George Fletcher
> Identity Standards Architect
> Practical Identity LLC
> 
> 
> 
>> On Aug 29, 2025, at 11:00 AM, Dick Hardt <dick.hardt at hello.coop> wrote:
>> 
>> I have no strong views on the scope name. Open to other ideas / suggestions / opinions!
>> 
>> Perhaps `cnf` to align with the claim? 
>> ᐧ
>> 
>> On Fri, Aug 29, 2025 at 3:57 PM <george at practicalidentity.com <mailto:george at practicalidentity.com>> wrote:
>> Hi, 
>> 
>> Would it make sense to change the scope name identified in the key-binding spec from something specific like ‘dpop’ to something more generic? e.g. ‘id_token_kb’ ? Or maybe just make clearer that the RP is looking for key bound tokens? e.g. ‘dpop_kb’? I just worry that ‘dpop’ by itself does not communicate the intended behavior.
>> 
>> Thoughts?
>> 
>> George Fletcher
>> Identity Standards Architect
>> Practical Identity LLC
>> 
>> 
>> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250829/017ba873/attachment.htm>