<div dir="ltr"><div dir="ltr">Joseph: <br><br>10.1 attempts to summarise how to prevent a command token from being used as an id_token. <a href="https://openid.github.io/openid-provider-commands/main.html#name-cross-jwt-confusion">https://openid.github.io/openid-provider-commands/main.html#name-cross-jwt-confusion</a></div><div dir="ltr"><br></div><div>I lifted this from OpenID Backchannel Logout. <br><br>An idea for other normative language: An OP that supports OP Commands MUST / SHOULD require a `nonce` in the authorization request.<br><br><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Thu, Mar 13, 2025 at 1:56 AM Joseph Heenan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<br id="m_-3300543278824746010lineBreakAtBeginningOfMessage">
<div><br>
<blockquote type="cite">
<div>On 13 Mar 2025, at 06:53, Andrii Deinega via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:</div>
<br>
<div>
<div dir="ltr" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">
<div dir="ltr">On Wed, Mar 12, 2025 at 2:25 PM Dick Hardt <<a href="mailto:dick.hardt@gmail.com" target="_blank">dick.hardt@gmail.com</a>> wrote:</div>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Mar 12, 2025 at 8:47 PM Andrii Deinega <<a href="mailto:andrii.deinega@gmail.com" target="_blank">andrii.deinega@gmail.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi WG,<br>
<br>
Wanted to send some feedback and suggestions a bit earlier... but didn't have enough time for that.
<div><br>
</div>
<div>1. I suggest extending Section 4 (Command Token) with a new required claim (client_id) to help prevent and address potential misuse and abuse. Thus, one of the provided examples for the command token (activate) becomes to look like this<br>
<br>
</div>
<blockquote style="margin:0px 0px 0px 40px;border:medium;padding:0px">
<div><i>{</i></div>
<div><i> "iss": "<a href="https://op.example.org/" target="_blank">https://op.example.org</a>",</i></div>
<div><i> "sub": "248289761001",</i></div>
<div><i> "aud": "<a href="https://rp.example.org/" target="_blank">https://rp.example.org</a>",</i></div>
<div><i> "client_id": "client1234567890"</i></div>
<div><i> "iat": 1734003000,</i></div>
<div><i> "exp": 1734003060,</i></div>
<div><i> "jti": "bWJq",</i></div>
<div><i> "command": "activate",</i></div>
<div><i> "given_name": "Jane",</i></div>
<div><i> "family_name": "Smith",</i></div>
<div><i> "email": "<a href="mailto:jane.smith@example.org" target="_blank">jane.smith@example.org</a>",</i></div>
<div><i> "email_verified": true,</i></div>
<div><i> "tenant": "ff6e7c9",</i></div>
<div><i> "groups": [</i></div>
<div><i> "b0f4861d",</i></div>
<div><i> "88799417"</i></div>
<div><i> ]</i></div>
<div><i>}</i></div>
</blockquote>
<div><br>
The key idea is that the aud claim includes (one or more) RP URLs where the client_id claim "carries" the client identifier. Note, this is in line with<span> </span><a href="https://datatracker.ietf.org/doc/html/rfc9068" target="_blank">JSON
Web Token (JWT) Profile for OAuth 2.0 Access Tokens (RFC 9068)</a>.<br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>I'd prefer clarifying that the `aud` is the `client_id`, and has a single value. Is there a motivation for having the `aud` and `client_id` be different?</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Once you put "client_id" in the aud claim, you became a vulnerable for confusion attacks for those OPs (and authorization servers) that allow clients to influence their client_ids, I didn't make this up, this is part of <a href="https://datatracker.ietf.org/doc/html/rfc9700" target="_blank">the
Best Current Practice for OAuth 2.0 Security (RFC 9700)</a>, what I did is "simply" applied this to OP Commands.</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
<div>The confusion attack only really applies where you have a ‘sub’ value that can contain a client id or a user identifier. That isn’t the case here.</div>
<div><br>
</div>
<div>The “typ” header (as already used in the provider command spec) avoids confusion with other types of token, and as this token is defined to only have ‘client_id’ in aud there’s no chance of confusion between client ids and user identifiers.</div>
<div><br>
</div>
<div>I think there probably is a small chance of confusion with an id_token though (the command token appears to pass all/most of the rules for validating an id_token as per <a href="https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation" target="_blank">https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation</a> ).
I’m not sure if that is a real problem, but if it is it would probably be best to put the client id into “client_id” and have no “aud”. “Client url” seems to be a new concept that we don’t have right now, I can’t see how it helps to introduce a new “client
url” concept just to use in “aud” here.</div>
<div><br>
</div>
<div>Joseph</div>
<div><br>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>