[Openid-specs-ab] Possible typo on Client Authentication

Brian Campbell bcampbell at pingidentity.com
Tue Apr 3 11:59:14 UTC 2012


I believe that what is there is correct or at least what was intended.
"iss" is the issuer of of the JWT to be used for client authentication. In
this case it's saying that such JWTs are self issued.  Which makes sense
and I think is what was intended (but don't know so someone please correct
me, if I'm wrong).

Is it potentially too restrictive though?  It would seem to presume that
clients always have access to the keying material. That's likely the case
most of the time but the text as written would seem to preclude a situation
where a client might interact with an STS (that holds the key material) to
obtain a JWT for client authentication.


On Mon, Apr 2, 2012 at 3:53 PM, Pam Dingle <pdingle at pingidentity.com> wrote:

> In section 2.2.1 of the Messages document (draft 08), in the Client
> Authentication section, the iss and the prn elements both have identical
> definitions, both containing the client_id of the OAuth Client.  Shouldn't
> the issuer be the AS?
>
> Here is the text:
>
>
> iss REQUIRED. The iss (issuer) Claim. This MUST contain the client_id of
> the OAuth Client. prnREQUIRED. The prn (principal) Claim. This MUST
> contain the client_id of the OAuth Client.
>
>
> Thanks, talk to you shortly.
>
> --
> *Pamela Dingle*  |  Sr. Technical Architect
> *Ping**Identity*  |   www.pingidentity.com
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
> *O:* 303-999-5890   *M:* 303-999-5890
> *Email:* pdingle at pingidentity.com
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
> *Connect with Ping*
> Twitter: @pingidentity
> LinkedIn Group: Ping's Identity Cloud
> Facebook.com/pingidentitypage
> *Connect with me*
> Twitter: @pamelarosiedee
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120403/f2f78471/attachment.html>


More information about the Openid-specs-ab mailing list