- changed status to open
Metadata Discovery with encrypted private_key_jwt
Issue #1357
resolved
In “10.1.1. Authentication Request”, here, and in OIDC Core 1.0, in “10. Signatures and Encryption”, it is specified that a private_key_jwt, the value of the request object, can be signed and optionally encrypted as well.
In the case of OIDC Federation, considering a negotiation of automatic client registration, if private_key_jwt is encrypted I believe that it would be appropriate to specify that the "client_id" parameter must be present within the urlencoded parameters OR within the claims of the JWE header.
Otherwise the provider receiving the request would not be able to obtain the client_id, that is the url from which to start the Metadata Discovery procedure.
Comments (3)
-
-
reporter
Thank you, it works and is well defined as a standard, there could be no better solution
-
reporter
- changed status to resolved
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
It's reasonable to include the
client_idas a Header Parameter in the encrypted JWT in this case. Indeed, the JWT spec itself describes such usage at https://datatracker.ietf.org/doc/html/rfc7519#section-5.3.