does part 2 allow client_secret_jwt?
It's not clear to me if part 2 allows client_secret_jwt.
part 1 allows:
JWS Client Assertion using the
client_secret
or a private key as specified in section 9 of [OIDC];
(I think we should update the text to use the explicit names defined in section 9, ie. client_secret_jwt and private_key_jwt)
part 2 doesn't explicitly say anything about client authentication, however section 8.6 says:
JWS signatures shall use the
PS256
orES256
algorithms for signing.
which would appear to rule out the use of HS256 which is required for client_secret_jwt.
Comments (9)
-
reporter -
- changed status to open
Sounds right. Suggest adding an explicit statement.
-
reporter -
assigned issue to
-
assigned issue to
-
reporter -
- changed status to closed
Explicitly state that part2 does not allow client_secret_jwt
client_secret_jwt uses HS256 signing so it implicitly banned by section 8.6 already; add an explicit clause that makes this clear.
Part 1 is also updated to use the normative namees for the client authentication method as I think that's generally better than trying to describe them with words.
closes
#162→ <<cset e88f9226369e>>
-
- changed status to resolved
Merged in josephheenan/fapi/avoid-clause-renumbering (pull request #66) to fix
#162and fix#152.Explicitly disallowed client_secret_jwt (
#162) + update fix for#152so that the spec clauses aren't renumberedApproved-by: Nat Sakimura sakimura@gmail.com
→ <<cset 1d66ccb37423>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
Personally I don't see a strong reason to allow client_secret_jwt in part 2 so I'd tend to veer towards adding an explicit statement that the only allowed client authentication methods are private_key_jwt and tls_client_auth.