Federation: Allow request_object auth method at PAR endpoint

Comments (8)

1. 

   Brian Campbell

   request_object isn’t a client authentication method

   • 2020-09-30T12:30:46+00:00
2. 

   Vladimir Dzhuvinov reporter

   @Brian Campbell Good point. The OIDC Fed request object extends the original OIDC request object with aud(=PAR endpoint), iss=(client_id), jti and exp to make it almost a private_key_jwt (but omits sub to prevent confusion, which was the subject of another ticket I believe).

   Do you reckon we should change the term request_object to something more appropriate?

   The current draft 12 does indeed talk about “client authentication” under client_registration_authn_methods_supported , but this can be true only for the PAR endpoint. “Client registration authentication methods” or “client registration request authentication methods” should be the term to use.

   https://openid.net/specs/openid-connect-federation-1_0-12.html#rfc.section.3.2

   • 2020-09-30T14:12:21+00:00
3. 

   Vladimir Dzhuvinov reporter

   Or simply “request authentication” method?

   Because with the request_object (at the authz endpoint) we have a JWT authenticating the authZ, plus the implicit registration request.

   • 2020-09-30T14:34:47+00:00
4. 

   Roland Hedberg

   Agree, request_object is not a client authentication method.

   But it is used in a client authentication method. Basically as a proof-of-possession of a signing key that the client have published.

   Picking another name (then request_object) is a good thing.

   request_object_based_client_auth is a bit long but catches the important thing.

   • 2020-10-11T12:19:44+00:00
5. 

   Brian Campbell

   I guess I’d continue to advocate that things be kept distinct. Don’t try and make a singed request object into a form of client authentication for direct client to AS requests.

   ‌

   • 2020-10-16T22:07:09+00:00
6. 

   Nat Sakimura

   @Roland Hedberg Any updates?

   • 2020-12-21T23:35:42+00:00
7. 

   Roland Hedberg

   Yes, in the last (not yet published) version of the specification we have changed from talking about client authentication to request authentication as proposed by @Vladimir Dzhuvinov . The latest version of the draft can always be found at https://github.com/rohe/oidcfederation .

   • 2020-12-22T08:02:14+00:00
8. 

   Roland Hedberg

   • changed status to closed

   • 2021-04-02T06:38:02+00:00
9. Log in to comment