Open SECtim opened 3 weeks ago
@rohe and I discussed this on the Federation editors' call today. Can you provide the complete revised sentence in which you'd like to see "This presents reuse of" occur. We weren't sure what exact text changes you are requesting.
Thank you for the swift response! Sure:
MUST NOT be present. This prevents reuse of the statement for
private_key_jwt
client authentication.
Section 12.1.1.1. describes the
sub
claim in the Authentication Request's Request object as follows: https://github.com/openid/federation/blob/a3f16063ac529842cb28970d1c2a08e0e86baa1c/openid-federation-1_0.xml#L5740-L5747While not having a
sub
claim does indeed prevent reuse as aprivate_key_jwt
credential, the value ofaud
("...MUST be or include the OP's Issuer Identifier URL.") does not: OIDC allows anyaud
value in aprivate_key_jwt
, as long as the OP can verify that it is the intended audience (e.g., accepting its Issuer Identifier seems like a reasonable thing to do, even though OIDC says that it SHOULD - but not MUST - be the Token EP URL).Hence, I think "This prevents reuse of..." would be more accurate.