Add Signed Request Object section to CAMARA Security and Interoperability Profile

[mhfoo]

What type of PR is this?

Add one of the following kinds:

• enhancement/feature
• documentation

What this PR does / why we need it:

Recommends signed Request Object for CAMARA Authorization Code flow.
The current OpenID Connect profile for CAMARA allows multiple methods for performing authentication request for the Authorization Code flow. The aim of this PR is to standardize a common method for CAMARA.

Which issue(s) this PR fixes:

Fixes #205

Fixes #

Special notes for reviewers:

None

Changelog input

 release-note
- Recommend the use of signed Request Object for Authorization Code flow

Additional documentation

None

[AxelNennker]

Suggested change

	It is RECOMMENDED to use signed Request Object, a [JSON Web Token (JWT) \[RFC7519\]](https://www.rfc-editor.org/rfc/rfc7519.html), passed by value, as specified by [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests) and [\[RFC9101\]](https://www.rfc-editor.org/rfc/rfc9101.html#name-request-object-2).
	It is RECOMMENDED to use a signed request object as specified by [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests) [pass the signed request object by value](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject).

[AxelNennker]

Suggested change

The `sub` (Subject) claim in the signed Request Object MUST NOT be present, to prevent [cross-JWT confusion](https://www.rfc-editor.org/rfc/rfc9101.html#name-cross-jwt-confusion).

sub is not part of https://openid.net/specs/openid-connect-core-1_0.html#RequestObject

[AxelNennker]

Suggested change

	The value of `aud` (Audience) claim MUST be the Authorization endpoint as RECOMMENDED by [\[RFC9101\]](https://www.rfc-editor.org/rfc/rfc9101.html#name-explicit-endpoints).
	The value of `aud` (Audience) claim MUST be set to a value that the authorization server accepts as itself.
	This document recommends in the [client credentials section](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#client-authentication) that the `aud` value SHOULD be the URL of the Authorization Server's [Token Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). The same recommendation is given for the `aud` value of the signed request object.

[AxelNennker]

Suggested change

The following query string parameters of the authorization request URI are REQUIRED, the rest of the [request parameters](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) are OPTIONAL:

Does this section change what is defined in OIDC?
The request parameter cannot be REQUIRED if the signed request object is RECOMMENDED.
Can this section be removed because no change to OIDC?

[AxelNennker]

Relationship to #226 ???

[mhfoo]

Relationship to #226 ???

I believe it is addressing the same #205 issue, I raised previously. In an earlier ICM call, 6 Nov, I did mention I will create a PR to address #205 .

[AxelNennker]

I added a recommendation regarding the value of aud to this PR.
That seems to be the major difference to #233

With that, I think, we can close #233 and merge this?

[jpengar]

@mhfoo @AxelNennker I propose that PR #233 be closed as a duplicate of #226. I also suggest that we agree on a final text and merge that final agreement into #226, which is already being reviewed by other WG participants.

[mhfoo]

@mhfoo @AxelNennker I propose that PR #233 be closed as a duplicate of #226. I also suggest that we agree on a final text and merge that final agreement into #226, which is already being reviewed by other WG participants.

Sure. I will propose my points in #226