- changed title to Registration: Parameter for specifying the preferred JWS alg for JWT-based client auth?
- edited description
Registration: Parameter for specifying the preferred JWS alg for JWT-based client auth?
Issue #875
resolved
We don't seem to have a client registration parameter to match the Discovery "token_endpoint_auth_signing_alg_values_supported" parameter.
Comments (8)
-
reporter
-
Account Deleted
Proposed Text:
token_endpoint_auth_signing_alg OPTIONAL. JWS [JWS] alg algorithm [JWA] that MUST be used for authenticating to the Authorization Server's Token Endpoint using the client_secret_jwt or private_key_jwt token endpoint authentication method as described in Section 2.2.1 of OpenID Connect Messages 1.0 [OpenID.Messages]. The valid values are listed in Section 3.1 of JWA [JWA]. All authentication attempts from this client_id MUST be rejected if not signed by this algorithm.
-
For this and perhaps others, we need to be clear that if the IdP wants to allow run time selection of the alg value it must not provide a value for this element in it's registration response.
-
reporter
That makes sense, within the ranges advertised in the Discovery metadata.
-
We are kind of complicating things here.
I see this as an additional feature. After the previous vote, we are effectively in the feature freeze for this release of OpenID Connect. Unless it is critical i.e., security hole, we should not touch the normative content.
We should deal additional features with extension or early revision.
I propose #wontfix.
-
- marked as enhancement
-
- changed milestone to Final
-
assigned issue to
Michael Jones
We will add this
-
- changed status to resolved
Fixed
#875- Added "token_endpoint_auth_signing_alg" parameter→ <<cset fe0041c9307a>>
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Registration
- Milestone
- Final
- Version
- –
- Votes
- 0
- Watchers
- 0
