[Openid-specs-ab] Key-binding and dpop scope

Dag Helge Østerhagen dag at udelt.no
Fri Aug 29 17:51:03 UTC 2025 

+1 for both "key_binding" and "cnf". Sigh.

/dag
________________________________
From: Dick Hardt <dick.hardt at gmail.com>
Sent: Friday, August 29, 2025 7:47:45 PM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Cc: Dag Helge Østerhagen <dag at udelt.no>; george at practicalidentity.com <george at practicalidentity.com>; Filip Skokan <panva.ip at gmail.com>
Subject: Re: [Openid-specs-ab] Key-binding and dpop scope

`key_binding` as scope name?

On Fri, Aug 29, 2025 at 6:35 PM Dag Helge Østerhagen via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
Well,  currently the dpop header is used to signal token binding (and inclusion of the cnf claim) for access and refresh tokens.   I don't see any other use cases in the (near) future.

/dag
________________________________
From: george at practicalidentity.com<mailto:george at practicalidentity.com> <george at practicalidentity.com<mailto:george at practicalidentity.com>>
Sent: Friday, August 29, 2025 7:01:54 PM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Cc: Dag Helge Østerhagen <dag at udelt.no<mailto:dag at udelt.no>>
Subject: Re: [Openid-specs-ab] Key-binding and dpop scope

My thought is that might depend on whether the ‘cnf’ scope is only applied to the id_token or whether cnf claims should be added to other issued tokens as well. Currently the proposed key-binding spec is specific to id_tokens.

George Fletcher
Identity Standards Architect
Practical Identity LLC



On Aug 29, 2025, at 12:56 PM, Dag Helge Østerhagen via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

I like «id_token_cnf», but wouldn’t just «cnf» be more aligned with other oidc scopes?

/dag
________________________________
From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> on behalf of george--- via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Sent: Friday, August 29, 2025 6:14:16 PM
To: Dick Hardt <dick.hardt at hello.coop<mailto:dick.hardt at hello.coop>>
Cc: george at practicalidentity.com<mailto:george at practicalidentity.com> <george at practicalidentity.com<mailto:george at practicalidentity.com>>; Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: Re: [Openid-specs-ab] Key-binding and dpop scope

That makes sense to me; including ‘cnf’ in the scope name. Would we ever want to allow the “key binding” mechanism to use something other than DPoP? If so, and the express purpose is to provide key binding for the id_token, then I’d recommend something like ‘id_token_cnf’.  It’s specific, clear and doesn’t preclude methods other than DPoP to provide the necessary data for the cnf claim.

George Fletcher
Identity Standards Architect
Practical Identity LLC



On Aug 29, 2025, at 11:00 AM, Dick Hardt <dick.hardt at hello.coop<mailto:dick.hardt at hello.coop>> wrote:

I have no strong views on the scope name. Open to other ideas / suggestions / opinions!

Perhaps `cnf` to align with the claim?
[https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBoZWxsby5jb29w&type=zerocontent&guid=1070e26b-08ab-4363-bf02-caa82d63577d]ᐧ

On Fri, Aug 29, 2025 at 3:57 PM <george at practicalidentity.com<mailto:george at practicalidentity.com>> wrote:
Hi,

Would it make sense to change the scope name identified in the key-binding spec from something specific like ‘dpop’ to something more generic? e.g. ‘id_token_kb’ ? Or maybe just make clearer that the RP is looking for key bound tokens? e.g. ‘dpop_kb’? I just worry that ‘dpop’ by itself does not communicate the intended behavior.

Thoughts?

George Fletcher
Identity Standards Architect
Practical Identity LLC




_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250829/644a5a50/attachment-0001.htm>

More information about the Openid-specs-ab mailing list