[Openid-specs-fapi] Issue #162: does part 2 allow client_secret_jwt? (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Tue Aug 14 16:16:25 UTC 2018


New issue 162: does part 2 allow client_secret_jwt?
https://bitbucket.org/openid/fapi/issues/162/does-part-2-allow-client_secret_jwt

Joseph Heenan:

It's not clear to me if part 2 allows client_secret_jwt.

part 1 allows:

>  JWS Client Assertion using the `client_secret` or a private key as specified in section 9 of [OIDC];

(I think we should update the text to use the explicit names defined in section 9, ie. client_secret_jwt and private_key_jwt)

part 2 doesn't explicitly say anything about client authentication, however section 8.6 says:

> JWS signatures shall use the `PS256` or `ES256` algorithms for signing.

which would appear to rule out the use of HS256 which is required for client_secret_jwt.




More information about the Openid-specs-fapi mailing list