Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

client_id optional in the request body #81

Open
Sakurann opened this issue Jul 26, 2024 · 1 comment
Open

client_id optional in the request body #81

Sakurann opened this issue Jul 26, 2024 · 1 comment
Labels

Comments

@Sakurann
Copy link
Contributor

OAuth2 chapter 4.1.3 Access Token Request says:

client_id
REQUIRED, if the client is not authenticating with the
authorization server as described in Section 3.2.1.

but then client assertion drafts make client_id optional https://datatracker.ietf.org/doc/html/rfc7521

Would you agree that client_id should be optional in this draft, too?

@c2bo
Copy link
Member

c2bo commented Aug 21, 2024

This draft doesn't directly use the assertion framework anymore, but I think the idea (to not require client_id) makes sense here as well. This would basically mean this?

  • if client_id exists, then
    • Attestation sub MUST be equal to client_id
    • Attestation PoP iss MUST be equal to client_id
  • otherwise client_id is implicit and
    • Attestation sub MUST be equal to Attestation PoP iss

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants