5.3.2.1 bullet 5 missing a word or a comma?
It goes:
(Clients,) if using
private_key_jwt
, shall use the Authorization Server's issuer identifier value (as defined in [RFC8414]) in theaud
claim sent in client authentication assertions, and the issuer identifier value should be sent as a string not as an item in an array
The bold-faced sentence seems to be missing a word or a comma. Perhaps it should be:
(Clients,) if using
private_key_jwt
, shall use the Authorization Server's issuer identifier value (as defined in [RFC8414]) in theaud
claim sent in client authentication assertions, and the issuer identifier value should be sent as a string, not as an item in an array
Also, since the main subject of the sentences here is “Clients”, it does not read too well. Perhaps it should be “received” instead of “sent”.
Comments (5)
-
reporter -
Have we defined client authentication assertions, by the way?
Somewhat indirectly by reference to
private_key_jwt
which is from sec 9 of OIDC core and describes jwt client assertion auth from rfc7523. -
Also, since the main subject of the sentences here is “Clients”, it does not read too well. Perhaps it should be “received” instead of “sent”.
In this context the client is creating the JWT and including it in an HTTP request to the AS. So “sent” is correct. The client is sending.
-
I’ll change it to the following in the PR:
1. if using `private_key_jwt`, shall use the Authorization Server's issuer identifier value (as defined in [@RFC8414]) in the `aud` claim in client authentication assertions, and should send the issuer identifier value as a string, not as an item in an array;
The ‘sent’ can be removed to shorten the sentence. I added the missing comma and used active voice.
-
- changed status to resolved
Fix Issue
#650(5.3.2.1 bullet 5 missing a word or a comma?)→ <<cset 5407571bbadf>>
- Log in to comment
In addition, we may want to avoid the passive form “should be”.
Also this “should be” introduces an ambiguity. Do we allow it to be received as an item in an array?
If not, perhaps:
Have we defined client authentication assertions, by the way?