Registration: Parameter for specifying the preferred JWS alg for JWT-based client auth?

Issue #875 resolved
Vladimir Dzhuvinov created an issue

We don't seem to have a client registration parameter to match the Discovery "token_endpoint_auth_signing_alg_values_supported" parameter.

Comments (8)

  1. Former user Account Deleted

    Proposed Text:

    token_endpoint_auth_signing_alg OPTIONAL. JWS [JWS] alg algorithm [JWA] that MUST be used for authenticating to the Authorization Server's Token Endpoint using the client_secret_jwt or private_key_jwt token endpoint authentication method as described in Section 2.2.1 of OpenID Connect Messages 1.0 [OpenID.Messages]. The valid values are listed in Section 3.1 of JWA [JWA]. All authentication attempts from this client_id MUST be rejected if not signed by this algorithm.

  2. John Bradley

    For this and perhaps others, we need to be clear that if the IdP wants to allow run time selection of the alg value it must not provide a value for this element in it's registration response.

  3. Nat Sakimura

    We are kind of complicating things here.

    I see this as an additional feature. After the previous vote, we are effectively in the feature freeze for this release of OpenID Connect. Unless it is critical i.e., security hole, we should not touch the normative content.

    We should deal additional features with extension or early revision.

    I propose #wontfix.

  4. Log in to comment