[Openid-specs-mobile-profile] Issue #155: aud to use in client_assertion passed to Backchannel Authentication Endpoint is murky? (openid/mobile)

Hans Zandbelt hans.zandbelt at zmartzone.eu
Mon May 20 12:48:55 UTC 2019 

I came across this on a similar note when implementing client
authentication to the  (RFC 7009) token revocation endpoint and I'm
interested in your views.

Hans.

On Mon, May 20, 2019 at 2:43 PM <josephheenan at bitbucket.org> wrote:

> New issue 155: aud to use in client_assertion passed to Backchannel
> Authentication Endpoint is murky?
>
> https://bitbucket.org/openid/mobile/issues/155/aud-to-use-in-client_assertion-passed-to
>
> Joseph Heenan:
>
> We came across what looks like an oddity whilst implementing tests; I’m
> not sure if I’ve missed a specification or if there is something that could
> benefit from clarification:
>
>  I can’t entirely figure out what the ‘aud’ value in a client assertion to
> the backchannel authentication endpoint should be.
>
> The client assertion spec, [
> https://tools.ietf.org/html/rfc7521#section-5.1](https://tools.ietf.org/html/rfc7521#section-5.1),
> says:
>
> ```
>  Audience
>       A value that identifies the party or parties intended to process
>       the assertion.  The URL of the token endpoint, as defined in
>       Section 3.2 of OAuth 2.0 [RFC6749], can be used to indicate that
>       the authorization server is a valid intended audience of the
>       assertion
> ```
>
>>
> [
> https://openid.net/specs/openid-connect-core-1\_0.html#ClientAuthentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
> doesn’t seem to add any clarity.
>
> By contrast, the CIBA request object is quite clear: “The Audience claim
> MUST contain the value of the Issuer Identifier for the OP, which
> identifies the Authorization Server as an intended audience.”
>
> The three possibilities for the audience for client assertion seem to be:
>
> 1. the token endpoint \(as RFC7521 says\)
> 2. the backchannel authentication endpoint \(because that’s where the
> assertion is being sent\)
> 3. the issuer \(to match the CIBA request object\)
>
> The server I’m trying against \(Authlete\) seems to have interpreted it as
> ‘2’.
>
>
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20190520/f268ec19/attachment.html>

More information about the Openid-specs-mobile-profile mailing list