[Openid-specs-mobile-profile] Issue #128: ambiguities in 7.1.1 signed authentication request (openid/mobile)
Joseph Heenan
issues-reply at bitbucket.org
Wed Dec 12 12:10:30 UTC 2018
New issue 128: ambiguities in 7.1.1 signed authentication request
https://bitbucket.org/openid/mobile/issues/128/ambiguities-in-711-signed-authentication
Joseph Heenan:
The wording here is not great:
> Authentication request parameters MUST NOT be be outside the JWT and appear as HTTP request parameters. Additional HTTP request parameters as required by the given client authentication method, however, will be included as application/x-www-form-urlencoded parameters (e.g. Mutual TLS client authentication uses client_id while JWT assertion based client authentication uses client_assertion and client_assertion_type).
It's possible (albeit not very sane) to interpret this as "Authentication request parameters appear as HTTP request parameters" due to the use of 'and' rather than 'nor'.
I think the second sentence is normative, effectively ruling out the use of client_secret_basic (which is otherwise allowed-but-not-recommended by CIBA I believe), but the use of 'will' is ambiguous.
I would suggest:
Authentication request parameters MUST NOT be present outside of the JWT, in particular they MUST NOT appear as HTTP request parameters. Additional HTTP request parameters as required by the given client authentication method, however, MUST be included as application/x-www-form-urlencoded parameters (e.g. Mutual TLS client authentication uses client_id while JWT assertion based client authentication uses client_assertion and client_assertion_type).
More information about the Openid-specs-mobile-profile
mailing list