Client Authentication at the Token Endpoint

openid / OpenID4VCI

64 stars 18 forks source link

Client Authentication at the Token Endpoint #130

Closed paulbastian closed 6 months ago

paulbastian commented 9 months ago

The example from Token Request at the current spec: https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#section-6.1-9

POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
&redirect_uri=https%3A%2F%2FWallet.example.org%2Fcb

Why does it contain Basic Auth header? I think we should consider using client authentication, e.g. with attestation-based client authentication, as this seems to fit the ecosystem of OpenID4VCI better. Shall we consider to mention this explicitly as optional?

Sakurann commented 9 months ago

It contains Basic Auth header if the wallet is using any of the client authentication methods already defined in rfc6749 that use HTTP Basic authenticaiton scheme. I don't see a problem with this, and given there are asks to decouple client authentication from client attestation in the attestation IETF draft, I am reluctant to change this at this point.

peppelinux commented 9 months ago

@Sakurann I understand perfectly the formal rigor of your approach and of the given example, however this example may cause doubts to the implementers that wonder how a wallet may have obtained client_id and a secret passphrase from an AS before the authorization, then: how a client registration may occur using a wallet with an AS.

May we think about the use of the attestation-based client attestation for the dynamic client registration of the wallets to the ASs? I would not go so much far from what we already have ... however, let's discuss about this, that probably requires another draft to extend the dynamic client registration using the WIA for the wallet use cases.

At this current stage I would simply remove the basic authentication and using the WIA~PoP, with a ref to the related IETF specification

selfissued commented 8 months ago

I would not agree with removing client authentication from the example.

jogu commented 6 months ago

I agree that a client secret is unlikely to be used in practice with VCI. How about using private_key_jwt in the example instead?

Sakurann commented 6 months ago

I don't think client attestation draft in IETF is mature enough to be used in the example in VCI yet (assuming that's what you meant by WIA~PoP). I would be fine with changing to private_key_jwt.

peppelinux commented 6 months ago

private_key_jwt looks quite comformtable to me as well