ambiguities in 7.1.1 signed authentication request
The wording here is not great:
Authentication request parameters MUST NOT be be outside the JWT and appear as HTTP request parameters. Additional HTTP request parameters as required by the given client authentication method, however, will be included as application/x-www-form-urlencoded parameters (e.g. Mutual TLS client authentication uses client_id while JWT assertion based client authentication uses client_assertion and client_assertion_type).
It's possible (albeit not very sane) to interpret this as "Authentication request parameters appear as HTTP request parameters" due to the use of 'and' rather than 'nor'.
I think the second sentence is normative, effectively ruling out the use of client_secret_basic (which is otherwise allowed-but-not-recommended by CIBA I believe), but the use of 'will' is ambiguous.
I would suggest:
Authentication request parameters MUST NOT be present outside of the JWT, in particular they MUST NOT appear as HTTP request parameters. Additional HTTP request parameters as required by the given client authentication method, however, MUST be included as application/x-www-form-urlencoded parameters (e.g. Mutual TLS client authentication uses client_id while JWT assertion based client authentication uses client_assertion and client_assertion_type).
Comments (4)
-
-
-
assigned issue to
-
assigned issue to
-
Agree @Joseph Heenan's words there are more better than the words I had. I'll update the doc.
-
- changed status to resolved
done with 1ce115d but please feel free to double check my work there
- Log in to comment
This change looks good to me, @Brian Campbell what do you think?