[Openid-specs-ab] Call for Adoption for the OpenID Connect Key Binding Specification

Dick Hardt dick.hardt at gmail.com
Mon Sep 29 11:28:03 UTC 2025 

The opposition to adoption has highlighted some misconceptions about the
proposed document.

We are not proposing the id_token be used to access resources. It is an
id_token. It represents authentication and identity claims about the user.

We view the component (C1) that acquires an id_token from the OP with a key
binding, and a component (C2) that is presented the id_token with a dpop
proof are both part of the same RP. They are both relying on the claims
made by the OP. The "aud" claim is therefore critical to the validation by
C2.

Two examples:

- Alice is using a video conferencing client and obtains an id_token with
key binding using OIDC and aud=1234. Alice's client then sends the id_token
to Bob's instance of the video conferencing client signing the message.
Bob's video conferencing client verifies the id_token and confirms aud=1234
and that it was another instance of the client that obtained the id_token.

- A mobile app obtains an id_token, and wants to obtain an access token
from the server. It presents the id_token with a dpop proof to the server
that checks it has the same aud value (as it is part of the same RP) and
returns a 1P access token.



The VC approach in OpenID Connect UserInfo Verifiable Credentials drops the
"aud" claim -- making that approach inferior.

Given the misconceptions, we will add additional non normative language on
how a key bound id_token should be used, and where it should not be used.

Finally, I want to acknowledge that some of the opposition expressed may
reflect interpersonal dynamics as well as technical concerns. I trust the
chairs will take that into account when weighing the feedback, while
focusing on the technical merits of the proposal.
/Dick & Ethan



On Mon, Sep 15, 2025 at 11:57 PM Michael Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> This starts a two-week call for feedback on whether to adopt the OpenID
> Connect OpenID Connect Key Binding specification contributed to the working
> group by Dick Hardt and Ethan Heilman as an OpenID Connect Working Group
> specification.  Please reply-all by Monday, September 29, 2025 saying
> whether you are favor of adoption or not, also saying why.
>
>
>
> The specification was contributed at
> https://lists.openid.net/pipermail/openid-specs-ab/2025-August/010890.html.
> It has been extensively discussed by the working group both on calls and on
> the mailing list.  From my observations of the discussion as a working
> group chair, I believe that there is consensus that it would be useful to
> have a standard solving the problem addressed by this specification.
>
>
>
>                                                 Writing as a working group
> chair,
>
>                                                                 -- Mike
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250929/8af87a10/attachment.htm>

More information about the Openid-specs-ab mailing list