ambiguities in 7.1.1 signed authentication request

Issue #128 resolved
Joseph Heenan
created an issue

The wording here is not great:

Authentication request parameters MUST NOT be be outside the JWT and appear as HTTP request parameters. Additional HTTP request parameters as required by the given client authentication method, however, will be included as application/x-www-form-urlencoded parameters (e.g. Mutual TLS client authentication uses client_id while JWT assertion based client authentication uses client_assertion and client_assertion_type).

It's possible (albeit not very sane) to interpret this as "Authentication request parameters appear as HTTP request parameters" due to the use of 'and' rather than 'nor'.

I think the second sentence is normative, effectively ruling out the use of client_secret_basic (which is otherwise allowed-but-not-recommended by CIBA I believe), but the use of 'will' is ambiguous.

I would suggest:

Authentication request parameters MUST NOT be present outside of the JWT, in particular they MUST NOT appear as HTTP request parameters. Additional HTTP request parameters as required by the given client authentication method, however, MUST be included as application/x-www-form-urlencoded parameters (e.g. Mutual TLS client authentication uses client_id while JWT assertion based client authentication uses client_assertion and client_assertion_type).

Comments (4)

  1. Log in to comment