1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

proposed new FAPI certification test: private_key_jwt client authentication assertion where aud contains multiple values

Issue #403 resolved
Joseph Heenan created an issue

As per https://gitlab.com/openid/conformance-suite/-/issues/886 the certification team intends to implement an additional test that sends multiple aud values in client assertions.

We’d likely send the normal aud and also https://other1.example.com and the server must accept that as valid. I guess this would be for FAPI-RW-ID2 tests and also FAPI1-Advanced-Final.

This is at least partly related to https://bitbucket.org/openid/connect/issues/1213/private_key_jwt-client_secret_jwt-audience which some RPs are working around by sending multiple aud values.

Any feedback/objections welcome.

Comments (15)

  3. Joseph Heenan reporter

    Discussed on today’s FAPI WG call. We don’t have a good feeling for how many implementations might not implement this correctly, there was a suggestion it would be added as a warning at least initially.

    Also to clarify this is an interoperability concern, and is not a security concern.

  4. Rui Engana

    We are finding a few entities from Open Banking UK very strict with audience checks and not accepting array values, even when correct value is part of audience array.

    Agree this is an interoperability problem and not a security concern, but without interoperability there isn’t adoption. We have also raised this concern with OBIE too.

    From RFC7521 https://tools.ietf.org/html/rfc7521#section-5.1 which govern Client Assertions Metamodel it’s said.

    Audience
    A value that identifies the party or parties intended to process
    the assertion. The URL of the token endpoint, as defined in
    of OAuth 2.0 [], can be used to indicate that
    the authorization server is a valid intended audience of the
    assertion. In the absence of an application profile specifying
    otherwise, compliant applications MUST compare the Audience values
    using the Simple String Comparison method defined in [].

  9. Filip Skokan

    The situation in FAPI1 remains unresolved, and an ongoing interoperability issue. At least some clients are sending aud as an array with multiple values, at least some servers are not accepting arrays.

    The situation seems pretty clear. Clients may be sending aud as an array in order to interoperate. OTOH servers not accepting arrays do not fully handle RFC7523 and RFC7519 (which even goes as far as to say that array is the general case and one audience being a string is a special case, a MAY one at that).

  10. Filip Skokan

    On today’s call there were no objections to adding a FAPI AS test(s) making sure that ASs accept their respective audience identifier sent in an array.

  12. Joseph Heenan reporter

    I don’t think so, we don’t have a conclusion yet. As per the above the WG only agreed to add a warning, so we remain in the situation where certified clients may send an array, and certified authorization servers may not accept an array.

    (FAPI2 is now clearer. The WG could resolve this for FAPI1 by endorsing the addition of a certification test for FAPI1 that would require AS to accept aud values that are arrays containing multiple values.)

  14. Joseph Heenan reporter

    Oh, right, sorry, I may have missed that. I hadn’t realised that the conversation encompassed both FAPI1 and FAPI2.

  16. Log in to comment
Assignee
Type
proposal
Priority
major
Status
resolved
Component
FAPI 1: Advanced
Milestone
Votes
1
Watchers
5
Jira: the preferred issue tracker for Bitbucket. Join the team!