[Openid-specs-ab] Call for Adoption for the OpenID Connect Key Binding Specification

Dick Hardt dick.hardt at gmail.com
Mon Sep 29 11:27:53 UTC 2025 

Ralph

We are not suggesting that the ID Token be used by any actor other than the
intended audience.

Are you able to provide any lessons for the WG regarding the issues you had
so we can avoid those?

/Dick


On Fri, Sep 26, 2025 at 9:37 PM Ralph Bragg via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Likewise, I do not support utilisation the id token In this way for the
> reasons already raised. We’ve just had issues with multiple aud values
> being identified as a significant source of vulnerability with PKJ so
> extending / modifying an id tokens aud raises too many concerns for me as a
> potential mitigation. I don’t believe that this token should be relied on
> by any actor other than the intended audience.
>
> Ralph Bragg
>
> Chief Technology Officer
>
> M.
>
>
>
> +447890130559
>
> T.
>
>
>
> +44 20 4583 6770
>
> ralph.bragg at raidiam.com
>
>
> ------------------------------
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on
> behalf of Andrii Deinega via Openid-specs-ab <
> openid-specs-ab at lists.openid.net>
> *Sent:* Saturday, September 27, 2025 4:26:07 AM
> *To:* Artifact Binding/Connect Working Group <
> openid-specs-ab at lists.openid.net>
> *Cc:* Andrii Deinega <andrii.deinega at gmail.com>
> *Subject:* Re: [Openid-specs-ab] Call for Adoption for the OpenID Connect
> Key Binding Specification
>
> I believe that any recipient of a JWT (in this case, an ID Token) should
> immediately reject it if it isn't the intended audience (which is indicated
> by the aud claim), regardless of whether cryptographic binding is present
> or not. This alone makes the statement below too problematic for me.
>
> When an RP wants to prove to another system that it has authenticated a
> user, it may present the ID Token as a bearer token. However, bearer tokens
> are vulnerable to theft and replay attacks - if an attacker intercepts the
> ID Token, they can impersonate the authenticated user to downstream systems
> that accept a ID Token as a bearer token.
>
>
> It's difficult to imagine multiple systems (recipients) sharing the same
> value in the aud claim (this value must be a client_id of the RP per the
> Core spec). It's fair to add the aud claim may contain an array with more
> than one element, but it's also fair to say this practice is discouraged
> (1) and comes with additional complexity and concerns (2).
>
> At the end of the day... I see a lot of value, and I see the reason why
> people want to have the standard around "proving to another system that it
> has authenticated a user," but I don't think that repurposing existing ID
> Tokens for it is the right way to go.... I’d suggest, and actually love to
> see - the use of SD JWT VCs (or other VCs) for this purpose instead.
>
> I haven’t reached the point where I need to "touch" Justin’s concerns... I
> fully agree with him on them.
>
> All the best,
> Andrii
>
> On Fri, Sep 26, 2025 at 9:05 AM Justin Richer via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> I do not support adoption of this work. The ID Token is not intended to be
> a conveyable artifact, and using it as such is a security layer boundary.
> It’s hard enough to get people to not use ID Tokens as Access Tokens today,
> since a lot of developers see all JWTs as equivalent, really. This work
> would make this problem significantly worse.
>
>  — Justin
>
> On Sep 15, 2025, at 6:57 PM, Michael Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> This starts a two-week call for feedback on whether to adopt the OpenID
> Connect OpenID Connect Key Binding specification contributed to the working
> group by Dick Hardt and Ethan Heilman as an OpenID Connect Working Group
> specification.  Please reply-all by Monday, September 29, 2025 saying
> whether you are favor of adoption or not, also saying why.
>
> The specification was contributed at
> https://lists.openid.net/pipermail/openid-specs-ab/2025-August/010890.html.
> It has been extensively discussed by the working group both on calls and on
> the mailing list.  From my observations of the discussion as a working
> group chair, I believe that there is consensus that it would be useful to
> have a standard solving the problem addressed by this specification.
>
>                                                 Writing as a working group
> chair,
>                                                                 -- Mike
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250929/86ff3f69/attachment.htm>

More information about the Openid-specs-ab mailing list