client_secret as the HMAC key...?
Issue #761
resolved
Messages 4.3. Signing[1] says tor "Symmetric Signatures ... the client and server MUST establish a shared secret out of band."
But isn't the shared secret intended to be the client_secret and shouldn't that be stated explicitly?
Step 6 in 5.2 ID Token Validation [2] says "If the alg parameter of the JWT header is a MAC based algorithm such as HS256, HS384, or HS512, the client_secret for the client_id contained in the aud (audience) Claim is used as the key to validate the signature.", which is consistent with client_secret as the MAC key. client_secret_jwt in 2.2.1. Client Authentication [3] does also.
[1] http://openid.net/specs/openid-connect-messages-1_0-15.html#sigs [2] http://openid.net/specs/openid-connect-messages-1_0-15.html#id.token.validation [3] http://openid.net/specs/openid-connect-messages-1_0-15.html#client_authentication
Comments (5)
-
-
reporter
even for those that don't implement the reg endpoint, the client sec is (I think) well understood and it should be called out that it is the shared secret that is used, or use to bootstrap, the symmetric crypto
-
-
assigned issue to
Michael Jones
We will make this clarification in 4.3.
-
assigned issue to
-
- changed status to resolved
Fixed
#761- client_secret as the HMAC key. Fixed#762- client_secret to key.→ <<cset 45d34fab8fac>>
-
Fixed
#761- client_secret as the HMAC key. Fixed#762- client_secret to key.→ <<cset 9d0ddfc1c934>>
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Messages
- Milestone
- Implementer's Draft
- Version
- –
- Votes
- 0
- Watchers
- 0
Yes, the messages paragraphs should link to the client_secret in registration, for OPs who choose to implement the reg endpoint.