proposed new FAPI certification test: private_key_jwt client authentication assertion where aud contains multiple values

Issue #403 open
Joseph Heenan created an issue

As per the certification team intends to implement an additional test that sends multiple aud values in client assertions.

We’d likely send the normal aud and also and the server must accept that as valid. I guess this would be for FAPI-RW-ID2 tests and also FAPI1-Advanced-Final.

This is at least partly related to which some RPs are working around by sending multiple aud values.

Any feedback/objections welcome.

Comments (4)

  1. Joseph Heenan reporter

    Discussed on today’s FAPI WG call. We don’t have a good feeling for how many implementations might not implement this correctly, there was a suggestion it would be added as a warning at least initially.

    Also to clarify this is an interoperability concern, and is not a security concern.

  2. Rui Engana

    We are finding a few entities from Open Banking UK very strict with audience checks and not accepting array values, even when correct value is part of audience array.

    Agree this is an interoperability problem and not a security concern, but without interoperability there isn’t adoption. We have also raised this concern with OBIE too.

    From RFC7521 which govern Client Assertions Metamodel it’s said.

    A value that identifies the party or parties intended to process
    the assertion. The URL of the token endpoint, as defined in
    of OAuth 2.0 [], can be used to indicate that
    the authorization server is a valid intended audience of the
    assertion. In the absence of an application profile specifying
    otherwise, compliant applications MUST compare the Audience values
    using the Simple String Comparison method defined in [].

  3. Log in to comment