[Openid-specs-fapi] Issue #162: does part 2 allow client_secret_jwt? (openid/fapi)
issues-reply at bitbucket.org
Tue Aug 14 16:16:25 UTC 2018
New issue 162: does part 2 allow client_secret_jwt?
It's not clear to me if part 2 allows client_secret_jwt.
part 1 allows:
> JWS Client Assertion using the `client_secret` or a private key as specified in section 9 of [OIDC];
(I think we should update the text to use the explicit names defined in section 9, ie. client_secret_jwt and private_key_jwt)
part 2 doesn't explicitly say anything about client authentication, however section 8.6 says:
> JWS signatures shall use the `PS256` or `ES256` algorithms for signing.
which would appear to rule out the use of HS256 which is required for client_secret_jwt.
More information about the Openid-specs-fapi