ambiguities in 7.1.1 signed authentication request
Issue #128
resolved
The wording here is not great:
Authentication request parameters MUST NOT be be outside the JWT and appear as HTTP request parameters. Additional HTTP request parameters as required by the given client authentication method, however, will be included as application/x-www-form-urlencoded parameters (e.g. Mutual TLS client authentication uses client_id while JWT assertion based client authentication uses client_assertion and client_assertion_type).
It's possible (albeit not very sane) to interpret this as "Authentication request parameters appear as HTTP request parameters" due to the use of 'and' rather than 'nor'.
I think the second sentence is normative, effectively ruling out the use of client_secret_basic (which is otherwise allowed-but-not-recommended by CIBA I believe), but the use of 'will' is ambiguous.
I would suggest:
Authentication request parameters MUST NOT be present outside of the JWT, in particular they MUST NOT appear as HTTP request parameters. Additional HTTP request parameters as required by the given client authentication method, however, MUST be included as application/x-www-form-urlencoded parameters (e.g. Mutual TLS client authentication uses client_id while JWT assertion based client authentication uses client_assertion and client_assertion_type).
Comments (5)
-
-
-
assigned issue to
Brian Campbell
-
assigned issue to
-
Agree @josephheenan-fintech's words there are more better than the words I had. I'll update the doc.
-
- changed status to resolved
done with 1844b6d but please feel free to double check my work there
-
I'm glad that it got solved because I know how complicated it is to work with something like that, especially when it comes to such small details. Personally, I even worked with this company https://apiko.com/blog/application-modernization-services/ in order to rely on specialists and make sure that I won't do anything wrong.
- Log in to comment
This change looks good to me, @b_d_c what do you think?