- changed status to open
Metadata Discovery with encrypted private_key_jwt
In “10.1.1. Authentication Request”, here, and in OIDC Core 1.0, in “10. Signatures and Encryption”, it is specified that a private_key_jwt, the value of the request object, can be signed and optionally encrypted as well.
In the case of OIDC Federation, considering a negotiation of automatic client registration, if private_key_jwt is encrypted I believe that it would be appropriate to specify that the "client_id" parameter must be present within the urlencoded parameters OR within the claims of the JWE header.
Otherwise the provider receiving the request would not be able to obtain the client_id, that is the url from which to start the Metadata Discovery procedure.
Comments (3)
-
-
reporter Thank you, it works and is well defined as a standard, there could be no better solution
-
reporter - changed status to resolved
- Log in to comment
It's reasonable to include the
client_id
as a Header Parameter in the encrypted JWT in this case. Indeed, the JWT spec itself describes such usage at https://datatracker.ietf.org/doc/html/rfc7519#section-5.3.