-
assigned issue to
client_id supplied in request body should match the one supplied elsewhere
As per discussions here:
https://www.ietf.org/mail-archive/web/oauth/current/threads.html#17751
and here:
https://openbanking.atlassian.net/wiki/spaces/WOR/pages/89882922/118
It sounds like we should have an explicit clause requiring the AS to verify that the client_id supplied in the request body matches any one provided elsewhere.
Comments (16)
-
-
- changed status to open
Add one liner
-
So, its a bit more complicated to write than I anticipated. How about this:
1. in the case of JWS Client Assertion, if the
client_id
is sent in addition to theclient_assertion
, shall verify that theclient_id
matches theiss
claim in theclient_assertion
It would go in part 1 just after 5.2.2.4
cc: @josephheenan
-
reporter @dgtonge I think I had in mind something much simpler, perhaps something like: "If the identity of the client is provided in more than one way, shall verify that all the identities refer to the same client".
-
@josephheenan I like that your version is simpler, I worry whether implementers will understand what we mean though. Would be good to get @Nat 's views.
-
I don't think that either of the sentences quite hits the mark, The presence of client_id on the uri is not meant to be taken as the means of client authentication unless no other mechanism of client authentication can be determined. Identification of the client can be conveyed via the client_id uri but OPs must verify that all client identifiers refer to the same client.
-
reporter @RaidiamRalph I'm not sure we can tighten up the client authentication part in FAPI. It feels to me like it'd need to go in the OB spec, or OIDC Core, or OAuth. I think the point of contention has been cleared up anyway, and I think there's a plan to submit an errata. The remaining thing we wanted to clear up was how the server should proceed when it receives multiple client identities.
The language I used is deliberately wider than Dave's so that it's clearer how it applies where OB (or anyone else that profiles FAPI) have widened the allowed client authentication methods. We could potentially combine mine and Dave's:
If the identity of the client is provided in more than one way, shall verify that all the identities refer to the same client. For example, in the case of JWS Client Assertion, if the client_id is sent in addition to the client_assertion, shall verify that the client_id matches the iss claim in the client_assertion
-
-
Updates?
-
This can be closed - 5.2.2.19 was added to part 1 to address this
-
reporter - changed status to resolved
Closing as per Dave's comment.
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment