[Openid-specs-ab] OpenID Connect Federation draft Incorporating Feedback from First Interop Event

Brian Campbell bcampbell at pingidentity.com
Wed Jul 8 17:14:39 UTC 2020


I added some comments about the JAR/PAR use to
https://bitbucket.org/openid/connect/issues/1164/insecure-front-channel-use-of
but not sure that's the best or most appropriate palce. So copied below too:
-

draft -12
https://openid.net/specs/openid-connect-federation-1_0-12.html#rfc.section.9.1.1.1
is now using the request object as one option. However, it requires ‘sub’
saying “The claim sub MUST contain the entity ID of the OpenID Connect
provider.” I assume that’s a mistake and should have said it’s the client
identifier? That’d make more sense and is what the content of the example
has. The same presumably erroneous text is there for ‘iss’ too.

But *WHY* is sub required? The same data would already be carried in the
‘iss’ claim and the ‘client_id’ claim and the ‘client_id’ parameter. Worse
the ‘sub’ claim means that the request JWT could likely be used as a
private_key_jwt in a token confusion type attack as discussed in
https://github.com/oauthstuff/draft-oauth-par/issues/41#issuecomment-615475230
and subsequent comments. So the problem at the heart of this issue is still
present.
-
-

Also -12 references an old and expired PAR draft
https://openid.net/specs/openid-connect-federation-1_0-12.html#PAR and
https://openid.net/specs/openid-connect-federation-1_0-12.html#rfc.section.3.2
has “URL of the Authorization Server's Authorization Endpoint or the
Authorization Server's entity_id” (note ‘entity_id’ isn’t used anywhere
else) for the ‘aud’ of private_key_jwt, which isn’t consistent with the
below text from
https://www.ietf.org/id/draft-ietf-oauth-par-01.html#section-2 :

“Note that there's some potential ambiguity around the appropriate audience
value to use when JWT client assertion based authentication is employed. To
address that ambiguity the issuer identifier URL of the AS according to [
RFC8414 <https://www.ietf.org/id/draft-ietf-oauth-par-01.html#RFC8414>]
SHOULD be used as the value of the audience. In order to facilitate
interoperability the AS MUST accept its issuer identifier, token endpoint
URL, or pushed authorization request endpoint URL as values that identify
it as an intended audience.“

On Wed, Jul 1, 2020 at 7:22 PM Mike Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> See
> https://openid.net/2020/07/01/openid-connect-federation-draft-incorporating-feedback-from-first-interop-event/.
> This now uses JAR or PAR for automatic registrations.
>
>
>
>                                                        -- Mike
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200708/873c572d/attachment.html>


More information about the Openid-specs-ab mailing list