[Federation] Request object sub claim
in Section “10.1.1.1. Using a Request Object” we have several costrinctions about how to compose the Request object (for automatic client registration).
One of these prevents the usage of the claim sub.
However in the non normative example we found the sub claim.
I’d suggest to remove the constraint that prevents the usage of the sub claim, if present it will be simply ignored by OPs that will only look for the client_id claim.
Comments (6)
-
reporter -
jti doesn't help and the whole issue of request object as private_key_jwt is subtle (some context https://bitbucket.org/openid/connect/issues/1164/insecure-front-channel-use-of) so some caution is warranted in this area
-
reporter Ok, I cant see the need to reuse this AR JWT as private_key_jwt.
This means that this issue would only address the presence of the sub claim in the normative example
-
reporter And probably this should be mentioned in the security considerations @Michael Jones @Roland Hedberg
-
reporter Fixed here
https://bitbucket.org/openid/connect/pull-requests/217/fix-federation-remove-sub-claim-from-authzI’d like to highlight this aspect in the security considerations as well
-
reporter - changed status to resolved
- Log in to comment
Having
jti
I think that the reuse of the request object as private_key_jwt would not possible anyway