Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow the wallet to choose how to get the public key to authenticate the request and the client #247

Open
awoie opened this issue Sep 5, 2024 · 2 comments
Open

Allow the wallet to choose how to get the public key to authenticate the request and the client #247

awoie opened this issue Sep 5, 2024 · 2 comments

Comments

@awoie
Copy link
Contributor

awoie commented Sep 5, 2024
edited
Loading

The current specification imposes limitations on how the wallet must authenticate the client and where to retrieve the public key to verify the signature of a signed request. In scenarios where both the verifier and the wallet support multiple authentication methods, the wallet may not always have access to all the required options or trust points. This can lead to failed transactions and a suboptimal user experience.

To maintain security while improving user experience, we propose removing the client_id_scheme parameter and allowing the verifier to provide multiple authentication methods. The wallet would then be able to select from the supported and accepted options.

Proposal:

  • Remove the client_id_scheme parameter.
  • Allow the verifier to offer multiple authentication options for the wallet, specifically for retrieving the public verification key for signed request objects. It is up to the verifier to decide whether to provide multiple options, and the wallet can choose which options to accept.

PR #237 may address this need.
@awoie awoie changed the title Allow multiple methods for authenticating the client Allow the wallet to choose how to get the public key to authenticate the request and the client Sep 5, 2024
@jogu
Copy link
Collaborator

jogu commented Sep 6, 2024
edited
Loading

I'm not sure I understand the details of this proposal yet, but I can see two things that would need to happen in addition to removing client_id_scheme and allowing multiple authentication methods:

  1. The verifier needs a way to be able to supply multiple x509 certificates, e.g. if it wants to authenticate using x509_san_dns and certificates from multiple countries/states (i.e. you can't specify multiple x5c headers, and although you can put multiple certs in a single x5c these must form a single chain)
  2. The verifier needs a way to specify multiple client_ids as it may be trying to, for example, authenticate with both openid federation (requiring a client_id in the form https://example.com) and x509_san_dns (requiring a client_id in the form example.com) - or we need to redefine some of the client_id_schemes so a single client_id does work across all of them (but I'm not sure that's possible in practice)

@jogu
Copy link
Collaborator

jogu commented Sep 6, 2024

#248 proposes what I think may be a more general solution.

@tplooker tplooker mentioned this issue Sep 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jogu @awoie