Closed pmcb55 closed 3 years ago
In all DPoP bound Access Token the cnf claim is required. See the DPoP spec:
Access tokens that are represented as JSON Web Tokens (JWT) [RFC7519] MUST contain information about the DPoP public key (in JWK format) in the member "jkt" of the "cnf" claim, as shown in Figure 5.
On the other hand we probably should accept Bearer tokens (they are legitimate and secure enough in trusted contexts).
I clarify the claims section in my pull requests:
Which incidentally happened 10 minutes before you published this issue and related pull request 106. ^^,
I believe this issue has been resolved and can be closed.
This issue was resolved via #106 Please feel free to re-open if further textual clarification is needed
In the
solid-oidc
draft, I find the wording in relation to thecnf
claim here a little unclear, and inconsistent with the descriptions for the other claims listed alongside it.Since all these claim descriptions are all under the heading
The DPoP-bound Access Token MUST contain at least these claims:
, why does thiscnf
call out that it's only REQUIRED for flows that require DPoP?In other words, are there flows that don't require DPoP, but that might provide a DPoP-bound Access Token anyway, in which case those particular flows are not REQUIRED to provide a
cnf
claim, but they still MUST provide all the other REQUIRED claims as described here...?