- edited description
-
assigned issue to
Torsten Lodderstedt
Enforce request object signing alg?
Issue #266
resolved
AS must enforce client authentication for confidential clients and request object signing if configured to prevent down grading attacks.
Question: do we want to support situations where the same client wants to use “traditional” request object (where signing is required for integrity and authenticity protection) and pushed request objects (where signing is required for non-repudiation only)? If the client policy does not distinguish a signing alg for bith cases, this client must sig request objects in the context of the pushed request object endpoint too.
Comments (5)
-
reporter
-
reporter
@Nat Sakimura there seems to be no text on request object signature algorithm configuration in draft-ietf-oauth-jwsreq? How is the AS supposed to manage this kind of setting?
-
reporter
-
reporter
the client metadata are registered in https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata - we can base the text on this values
-
reporter
- changed status to resolved
will be fixed in the JAR spec
- Log in to comment
