[OAUTH-WG] Re: [RFC7523] JWT-SVID as a client_assertion

Thu, 13 Feb 2025 05:00:29 -0800 

So I’ve been thinking of similar

> On 13 Feb 2025, at 01:24, Dmitry Telegin <dmit...@backbase.com> wrote:
> 
> (Background: exploring the possibility of using SPIFFE as client 
> authentication mechanism at the Transaction Token service.)
> 
> JWT-SVIDs, defined in SPIFFE, are regular JWTs, though with some 
> peculiarities:
> * the "sub", "aud" and "exp" claims are mandatory;
> * the "iss" claim is optional (but would be normally added by SPIRE);
> * the "sub" claim must be set to the workload's SPIFFE ID;
> * the issuer of the JWT-SVID is the SPIRE server and not the workload; the 
> workload only controls the acquisition and presentation aspects.
> 
> Question 1. Is the use of JWT-SVIDs for client authentication (as a 
> client_assertion) compliant with RFC7523(bis)?

I don’t see why not. RFC7523 isn’t particularly prescriptive on the exact claim 
set of the JWT.

> Question 2. If so, what would be the best approach to registering such 
> clients with the AS (TTS)? Static registration doesn't work very well because 
> of the SPIFFE's dynamic nature. DCR could be problematic because for 
> JWT-based client auth mechanisms we only have "private_key_jwt" and 
> "client_secret_jwt" (and JWT-SVIDs are neither). Should the AS/TTS perform 
> some sort of automatic client registration when it first encounters a 
> JWT-SVID signed by a trusted issuer?

That’s your big question. I see two options:

1. Accept “spiffe:” as a client ID prefix per 
draft-parecki-oauth-client-id-scheme 
<https://datatracker.ietf.org/doc/draft-parecki-oauth-client-id-scheme/>. You’d 
still need to solve the metadata question 
2. Define a “svid_jwt” client auth method and a “spiffe_id” metadata property 
that the client would provide during registration. The client still needs to 
register itself (or be manually registered, or have something register it on 
behalf…)  and know its client ID. 
2a. Do the above and augment dynamic client registration so the client can 
maintain and fetch its own registration with just a SVID JWT (or SVID x.509 
MTLS certificate?)

(I could see something like 2a based upon JWT credentials the client has from 
elsewhere being generically useful, not necessarily tied directly to SPIFFE).

- Erin
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to