Should token_endpoint_auth_signing_alg be considered? #35
Comments
|
In general I agree that a piece of metadata like this is useful, the other option which springs to mind is to reuse the token_endpoint_auth_signing_alg metadata property for this auth method instead of defining a new metadata element. |
|
Which ever metadata element we choose for this purpose it should apply to BOTH the attestation JWT and PoP JWT. |
|
We would also need to clarify that the signing algorithm used for the attestation JWT and PoP JWT do not need to be the same however both would need to be permitted for the client making the request to the authorization server. |
|
Considering this more I think it is safer to have a new seperate metadata element for signalling support algorithms for this client authentication mechanism. |
|
I believe the re-use of both AS discovery
JSON array containing a list of the JWS signing algorithms supported by the token endpoint for the signature on the JWT used to authenticate the client at the token endpoint This fits.
JWS alg algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods This doesn't fit but only needs an updated description. |
OpenID Connect Dynamic Client Registration 1.0, Section 2. Client Metadata, defines the
token_endpoint_auth_signing_algclient metadata as follows.Should server-side implementations of the
attest_jwt_client_authclient authentication method take the client metadata into consideration? To be concrete, should server-side implementations reject requests when the Client Attestation PoP JWT is not signed with the algorithm specified by the client metadata if the metadata is set, or may server-side implementations ignore the client metadata when processing theattest_jwt_client_authclient authentication method?The text was updated successfully, but these errors were encountered: