client_id supplied in request body should match the one supplied elsewhere

Issue #131 resolved
Joseph Heenan created an issue

As per discussions here:

https://www.ietf.org/mail-archive/web/oauth/current/threads.html#17751

and here:

https://openbanking.atlassian.net/wiki/spaces/WOR/pages/89882922/118

It sounds like we should have an explicit clause requiring the AS to verify that the client_id supplied in the request body matches any one provided elsewhere.

Comments (11)

  1. Dave Tonge

    So, its a bit more complicated to write than I anticipated. How about this:

    1. in the case of JWS Client Assertion, if the client_id is sent in addition to the client_assertion, shall verify that the client_id matches the iss claim in the client_assertion

    It would go in part 1 just after 5.2.2.4

    cc: @josephheenan

  2. Joseph Heenan reporter

    @dgtonge I think I had in mind something much simpler, perhaps something like: "If the identity of the client is provided in more than one way, shall verify that all the identities refer to the same client".

  3. Dave Tonge

    @josephheenan I like that your version is simpler, I worry whether implementers will understand what we mean though. Would be good to get @Nat 's views.

  4. Ralph Bragg

    I don't think that either of the sentences quite hits the mark, The presence of client_id on the uri is not meant to be taken as the means of client authentication unless no other mechanism of client authentication can be determined. Identification of the client can be conveyed via the client_id uri but OPs must verify that all client identifiers refer to the same client.

  5. Joseph Heenan reporter

    @RaidiamRalph I'm not sure we can tighten up the client authentication part in FAPI. It feels to me like it'd need to go in the OB spec, or OIDC Core, or OAuth. I think the point of contention has been cleared up anyway, and I think there's a plan to submit an errata. The remaining thing we wanted to clear up was how the server should proceed when it receives multiple client identities.

    The language I used is deliberately wider than Dave's so that it's clearer how it applies where OB (or anyone else that profiles FAPI) have widened the allowed client authentication methods. We could potentially combine mine and Dave's:

    If the identity of the client is provided in more than one way, shall verify that all the identities refer to the same client. For example, in the case of JWS Client Assertion, if the client_id is sent in addition to the client_assertion, shall verify that the client_id matches the iss claim in the client_assertion

  6. Log in to comment