-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
recommend auth code flow using signed requests #226
base: main
Are you sure you want to change the base?
Conversation
My apologies, I created #233, before seeing this PR. Possible to use #233 instead? |
Co-authored-by: Jesús Peña García-Oliva <[email protected]>
I would like to clarify why the OIDC specification was chosen over RFC 9101. It is important because, although they are very similar, they have small but significant differences. OIDC:
From my point of view, it is more interesting to follow RFC 9101, as it would ignore parameters that the client did not have to send and could potentially change how an authorization server processes the request. |
@@ -66,6 +66,8 @@ All network connections MUST use TLS 1.2 or better. | |||
|
|||
The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | |||
|
|||
It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). This document recommends in the [client credentials section](#client-authentication) that the `aud` value SHOULD be the URL of the Authorization Server's [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). The same recommendation is given for the `aud` value of the signed request object. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both in OIDC and RFC 9101, the valid value for the aud
field should be the issuer of the authorization server. I don't see any specification that recommends the Token Endpoint for signed request object.
Even in the CIBA specification, it is also established that the valid value should be the issuer of the authorization server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@garciasolero
The CAMARA specification specifically makes this recommendation.
However, this applies to client authentication, and for authorisation code flow, it is only the /token
endpoint where the client is authenticated. For signing the authorisation request, I agree that is does not necessarily follow that the aud
should also be the URL of the token endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you are right, hence my comment. The recommendations apply depending on what type of assertion it is, and we should be aligned with what the standards say.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OIDC Core refers to [RFC9101], under section Explicit Endpoints, it is RECOMMENDED good practice to explicitly state the intended interaction endpoints, in this context the Authorization endpoint (authorization_endpoint)
I have the following concern on this phrase in OIDC Core:
The JWT MAY contain other Claims. Any Claims used that are not understood MUST be ignored." under the private_key_jwt section.
The aud
claim explicitly stating the intended endpoint, will prevent misuse of the signed JWT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). This document recommends in the [client credentials section](#client-authentication) that the `aud` value SHOULD be the URL of the Authorization Server's [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). The same recommendation is given for the `aud` value of the signed request object. | |
It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). | |
This document recommends the value of `aud` (Audience) claim MUST be the Authorization endpoint as RECOMMENDED by [\[RFC9101\], Explicit Endpoints](https://www.rfc-editor.org/rfc/rfc9101.html#name-explicit-endpoints). |
I would like to propose to append the following point regarding the 8< ------------------------ |
@@ -66,6 +66,8 @@ All network connections MUST use TLS 1.2 or better. | |||
|
|||
The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | |||
|
|||
It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). This document recommends in the [client credentials section](#client-authentication) that the `aud` value SHOULD be the URL of the Authorization Server's [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). The same recommendation is given for the `aud` value of the signed request object. | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The sub (Subject) claim in the signed Request Object MUST NOT be present, to prevent [cross-JWT confusion](https://www.rfc-editor.org/rfc/rfc9101.html#name-cross-jwt-confusion). | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added proposed changes, including references
Pending topics:
Could we please resume and close these topics as it's under the Spring25 scope. |
Referring to the Breaking it down: Point b) is read as "OP's Issuer Identifier URL" is used as a prefix. |
Referring to OIDC, Client Authentication, private_key_jwt, the following statement is present: If this signed request object (for /authorize) |
What type of PR is this?
Add one of the following kinds:
What this PR does / why we need it:
This PR recommends using signed OIDC authoritzation code flow requests.
Which issue(s) this PR fixes:
Fixes #205