- edited description
Should JARM be mandated for code flow with PAR and PKCE?
FAPI 1 Advanced currently:
- allows PAR (MAY),
- use of PAR mandates PKCE (SHALL)
- allows to use
code
flow
shall require
the
response_type
valuecode id_token
, orthe
response_type
valuecode
in conjunction with theresponse_mode
valuejwt
;
- use of code flow mandates JARM
In addition, if the
response_type
valuecode
is used in conjunction with theresponse_mode
valuejwt
, the authorization servershall create JWT-secured authorization responses as specified in JARM, Section 4.3.
Is there a need to mandate JARM if code flow is used with PAR and PKCE? This requirement didn’t seem to come from the attacker model.
May be JARM requirement can be relaxed?
Thoughts?
Comments (13)
-
reporter -
- changed status to open
-
In FAPI2, the
iss
draft is required:Removing JARM (without replacing it with something) would I believe open FAPI1 to the mixup attack described in the iss draft.
-
reporter The justification for not using JARM was that authorization response doesn’t require additional protection if authorisation response only contains ‘code' and it’s protected by PKCE already.
Now, to protect against AS mixup attack we would use iss draft instead of JARM.
And this would introduce another parameter to the authorization response and the need to protected with JARM?!
Right? @Daniel Fett @Joseph Heenan
-
The ‘iss’ parameter is an exception: ‘iss’ provides its security in any case only when the response comes directly from an uncompromised AS and was not modified in between (i.e., attacker cannot modify authorization response). If the attacker can read/modify the authz response, ‘iss’ is not needed, as an attacker does not need to execute a mix-up attack in that case (just reading the code from the authz response is easier).
Therefore, I think leaving code+iss without JARM protection should be fine.
-
reporter We’ve discussed it on a call today:
- The spec is final and it is not going to change: JARM has to be supported for code flow.
- In order to facilitate broader vendor support FAPI WG will progress JARM specification to FINAL as soon as practical.
- FAPI WG will make a decision wether JARM is required for FAPI 2.
- Potentially, FAPI WG will produce advice on migration from FAPI 1 to FAPI 2.
-
For better or worse, FAPI 1.0 baseline and advanced have been finalized https://openid.net/2021/03/16/standards-adoption-and-the-adoption-of-standards-financial-grade-api-fapi-1-0-final-specifications-published/ and making a change to a finalized standard is not something that should be undertaken lightly.
-
Can this be closed then?
-
reporter - changed status to resolved
the spec is final. change is harder.
-
reporter @Nat Sakimura @Anoop Saxena @Edmund Jay JARM is a part of AU transition to FAPI 1 and use of code flow.
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment