Federation: Allow request_object auth method at PAR endpoint
So that request objects can be used with PAR endpoint as well as at the AR endpoint.
https://openid.net/specs/openid-connect-federation-1_0-12.html#rfc.section.3.2
Suggested change:
If pushed authorization is used then one of private_key_jwt, request_object, tls_client_auth and self_signed_tls_client_auth can be used.
Comments (8)
-
-
reporter @Brian Campbell Good point. The OIDC Fed request object extends the original OIDC request object with
aud
(=PAR endpoint),iss
=(client_id),jti
andexp
to make it almost a private_key_jwt (but omitssub
to prevent confusion, which was the subject of another ticket I believe).Do you reckon we should change the term
request_object
to something more appropriate?The current draft 12 does indeed talk about “client authentication” under
client_registration_authn_methods_supported
, but this can be true only for the PAR endpoint. “Client registration authentication methods” or “client registration request authentication methods” should be the term to use.https://openid.net/specs/openid-connect-federation-1_0-12.html#rfc.section.3.2
-
reporter Or simply “request authentication” method?
Because with the request_object (at the authz endpoint) we have a JWT authenticating the authZ, plus the implicit registration request.
-
Agree, request_object is not a client authentication method.
But it is used in a client authentication method. Basically as a proof-of-possession of a signing key that the client have published.
Picking another name (then request_object) is a good thing.
request_object_based_client_auth is a bit long but catches the important thing.
-
I guess I’d continue to advocate that things be kept distinct. Don’t try and make a singed request object into a form of client authentication for direct client to AS requests.
-
@Roland Hedberg Any updates?
-
Yes, in the last (not yet published) version of the specification we have changed from talking about client authentication to request authentication as proposed by @Vladimir Dzhuvinov . The latest version of the draft can always be found at https://github.com/rohe/oidcfederation .
-
- changed status to closed
- Log in to comment
request_object isn’t a client authentication method