client_id supplied in request body should match the one supplied elsewhere

Comments (16)

1. 

   Nat Sakimura

   • assigned issue to
     
     Dave Tonge

   • 2018-01-29T15:51:02+00:00
2. 

   Nat Sakimura

   • changed status to open

   Add one liner

   • 2018-01-29T15:51:15+00:00
3. 

   Dave Tonge

   So, its a bit more complicated to write than I anticipated. How about this:

   1. in the case of JWS Client Assertion, if the client_id is sent in addition to the client_assertion, shall verify that the client_id matches the iss claim in the client_assertion

   It would go in part 1 just after 5.2.2.4

   cc: @josephheenan

   • 2018-01-29T19:04:22+00:00
4. 

   Joseph Heenan reporter

   @dgtonge I think I had in mind something much simpler, perhaps something like: "If the identity of the client is provided in more than one way, shall verify that all the identities refer to the same client".

   • 2018-01-30T22:26:55+00:00
5. 

   Dave Tonge

   @josephheenan I like that your version is simpler, I worry whether implementers will understand what we mean though. Would be good to get @Nat 's views.

   • 2018-01-31T08:07:35+00:00
6. 

   Ralph Bragg

   I don't think that either of the sentences quite hits the mark, The presence of client_id on the uri is not meant to be taken as the means of client authentication unless no other mechanism of client authentication can be determined. Identification of the client can be conveyed via the client_id uri but OPs must verify that all client identifiers refer to the same client.

   • 2018-01-31T14:26:08+00:00
7. 

   Joseph Heenan reporter

   @RaidiamRalph I'm not sure we can tighten up the client authentication part in FAPI. It feels to me like it'd need to go in the OB spec, or OIDC Core, or OAuth. I think the point of contention has been cleared up anyway, and I think there's a plan to submit an errata. The remaining thing we wanted to clear up was how the server should proceed when it receives multiple client identities.

   The language I used is deliberately wider than Dave's so that it's clearer how it applies where OB (or anyone else that profiles FAPI) have widened the allowed client authentication methods. We could potentially combine mine and Dave's:

   If the identity of the client is provided in more than one way, shall verify that all the identities refer to the same client. For example, in the case of JWS Client Assertion, if the client_id is sent in addition to the client_assertion, shall verify that the client_id matches the iss claim in the client_assertion

   • 2018-02-02T00:53:15+00:00
8. 

   Dave Tonge

   https://bitbucket.org/openid/fapi/pull-requests/49/add-clause-requiring-as-to-check-when/diff

   • 2018-02-21T21:45:47+00:00
9. 

   Nat Sakimura

   Updates?

   • 2018-08-15T03:38:39+00:00
10. 

    Dave Tonge

    This can be closed - 5.2.2.19 was added to part 1 to address this

    • 2018-08-15T13:38:45+00:00
11. 

    Joseph Heenan reporter

    • changed status to resolved

    Closing as per Dave's comment.

    • 2018-08-17T08:52:31+00:00
12. 

    Nat Sakimura

    • changed component to Part 1: Baseline

    • 2022-12-14T15:35:54+00:00
13. 

    Nat Sakimura

    • changed component to FAPI 1 - Part 1: Baseline

    • 2022-12-14T15:36:26+00:00
14. 

    Nat Sakimura

    • changed component to FAPI 1 – Part 1: Baseline

    • 2022-12-14T15:37:00+00:00
15. 

    Nat Sakimura

    • changed component to FAPI 1 – Baseline

    • 2022-12-14T15:38:22+00:00
16. 

    Nat Sakimura

    • changed component to FAPI 1: Baseline

    • 2022-12-14T15:39:10+00:00
17. Log in to comment