CIBA: other request parameters when "request" is present
When a backchannel authentication request contains the request
request parameter, should it be allowed or not for other request parameters to be included?
The authorization endpoint of OIDC allows (has to allow) other request parameters to coexist with the request
request parameter (or the request_uri
request parameter) so that the behavior of the endpoint can comply with RFC 6749 at the same time.
However, because the backchannel authentication endpoint is a new endpoint, it is possible to decide to state "other request parameters should not be present when the request
request parameter is present".
On the other hand, if other request parameters are allowed, it will be better to add some notes to secure consistency between bare request parameters and the request object. For example, in OIDC Core 1.0 says in "6.1. Passing a Request Object by Value" as follows:
So that the request is a valid OAuth 2.0 Authorization Request, values for the
response_type
andclient_id
parameters MUST be included using the OAuth 2.0 request syntax, since they are REQUIRED by OAuth 2.0. The values for these parameters MUST match those in the Request Object, if present.
Comments (6)
-
-
-
assigned issue to
pull request
#42tries to clarify that, for signed authentication requests, all the authentication request parameters are in the JWT and only in the JWT -
assigned issue to
-
reporter This simplifies implementations. 😁
-
simplifies implementations is a good thing 😁
-
- changed status to resolved
merged pull request
#42 -
In which pull request was this clarified, Brian? That link is broken. Also, what if the client ID and secret are in a basic authorization header? What if they are posted in the form? Should they also be in the JWT? It seems that client authentication params are outside and non-client-auth params are in the JWT. What if
client_id
andclient_secret
are in the JWT though? Which should be used? It seems those are not defined as a part of the CIBA request, so they should be ignored if in the JWT request obj. - Log in to comment
When a CIBA signed authentication request is used, all of the authentication request parameters are to be encoded as claims in the JWT. We can add some clarifying text along the lines of your suggestion, "other request parameters should not be present when the request request parameter is present".