recommend auth code flow using signed requests #226
Conversation
|
My apologies, I created #233, before seeing this PR. Possible to use #233 instead? |
Co-authored-by: Jesús Peña García-Oliva <[email protected]>
|
I would like to clarify why the OIDC specification was chosen over RFC 9101. It is important because, although they are very similar, they have small but significant differences. OIDC:
From my point of view, it is more interesting to follow RFC 9101, as it would ignore parameters that the client did not have to send and could potentially change how an authorization server processes the request. |
| @@ -66,6 +66,8 @@ All network connections MUST use TLS 1.2 or better. | |||
|
|
|||
| The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | |||
|
|
|||
| It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). This document recommends in the [client credentials section](#client-authentication) that the `aud` value SHOULD be the URL of the Authorization Server's [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). The same recommendation is given for the `aud` value of the signed request object. | |||
There was a problem hiding this comment.
Both in OIDC and RFC 9101, the valid value for the aud field should be the issuer of the authorization server. I don't see any specification that recommends the Token Endpoint for signed request object.
Even in the CIBA specification, it is also established that the valid value should be the issuer of the authorization server.
There was a problem hiding this comment.
@garciasolero
The CAMARA specification specifically makes this recommendation.
However, this applies to client authentication, and for authorisation code flow, it is only the /token endpoint where the client is authenticated. For signing the authorisation request, I agree that is does not necessarily follow that the aud should also be the URL of the token endpoint.
There was a problem hiding this comment.
Yes, you are right, hence my comment. The recommendations apply depending on what type of assertion it is, and we should be aligned with what the standards say.
There was a problem hiding this comment.
OIDC Core refers to [RFC9101], under section Explicit Endpoints, it is RECOMMENDED good practice to explicitly state the intended interaction endpoints, in this context the Authorization endpoint (authorization_endpoint)
I have the following concern on this phrase in OIDC Core:
The JWT MAY contain other Claims. Any Claims used that are not understood MUST be ignored." under the private_key_jwt section.
The aud claim explicitly stating the intended endpoint, will prevent misuse of the signed JWT.
There was a problem hiding this comment.
| It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). This document recommends in the [client credentials section](#client-authentication) that the `aud` value SHOULD be the URL of the Authorization Server's [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). The same recommendation is given for the `aud` value of the signed request object. | |
| It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). | |
| This document recommends the value of `aud` (Audience) claim MUST be the Authorization endpoint as RECOMMENDED by [\[RFC9101\], Explicit Endpoints](https://www.rfc-editor.org/rfc/rfc9101.html#name-explicit-endpoints). |
|
I would like to propose to append the following point regarding the 8< ------------------------ |
| @@ -66,6 +66,8 @@ All network connections MUST use TLS 1.2 or better. | |||
|
|
|||
| The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | |||
|
|
|||
| It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). This document recommends in the [client credentials section](#client-authentication) that the `aud` value SHOULD be the URL of the Authorization Server's [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). The same recommendation is given for the `aud` value of the signed request object. | |||
|
|
|||
There was a problem hiding this comment.
| The sub (Subject) claim in the signed Request Object MUST NOT be present, to prevent [cross-JWT confusion](https://www.rfc-editor.org/rfc/rfc9101.html#name-cross-jwt-confusion). | |
What type of PR is this?
Add one of the following kinds:
What this PR does / why we need it:
This PR recommends using signed OIDC authoritzation code flow requests.
Which issue(s) this PR fixes:
Fixes #205