aud Claim in Authentication Request Does Not Prevent private_key_jwt Reuse

[SECtim]

Section 12.1.1.1. describes the sub claim in the Authentication Request's Request object as follows: https://github.com/openid/federation/blob/a3f16063ac529842cb28970d1c2a08e0e86baa1c/openid-federation-1_0.xml#L5740-L5747

While not having a sub claim does indeed prevent reuse as a private_key_jwt credential, the value of aud ("...MUST be or include the OP's Issuer Identifier URL.") does not: OIDC allows any aud value in a private_key_jwt, as long as the OP can verify that it is the intended audience (e.g., accepting its Issuer Identifier seems like a reasonable thing to do, even though OIDC says that it SHOULD - but not MUST - be the Token EP URL).

Hence, I think "This prevents reuse of..." would be more accurate.

[selfissued]

@rohe and I discussed this on the Federation editors' call today. Can you provide the complete revised sentence in which you'd like to see "This presents reuse of" occur. We weren't sure what exact text changes you are requesting.

[SECtim]

Thank you for the swift response! Sure:

MUST NOT be present. This prevents reuse of the statement for private_key_jwt client authentication.