Skip to content

Claims in signed authentication requests #283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
garciasolero opened this issue Mar 21, 2025 · 0 comments · May be fixed by #285
Open

Claims in signed authentication requests #283

garciasolero opened this issue Mar 21, 2025 · 0 comments · May be fixed by #285
Labels
documentation Improvements or additions to documentation fall25
Milestone
Meta-release Fall25

Comments

@garciasolero
Copy link
Contributor

garciasolero commented Mar 21, 2025
edited
Loading

Problem description

In the Signed Authentication Requests section of the Authorization Code flow, there is no mention of which typical claims are mandatory, as is already the case in the CIBA specification.

Expected action

To mitigate possible attacks, as we commented in a previous issue, we should make the following claims mandatory: iss, aud, iat, exp and jti.

In addition, we should apply the same maximum request object lifetime policy in both CIBA and Authorization Code flows that we require in the client assertion for authentication.

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation fall25
Projects
None yet
Milestone
Meta-release Fall25
Development

Successfully merging a pull request may close this issue.

mandatory fields in signed ACF request objects camaraproject/IdentityAndConsentManagement
2 participants
@garciasolero @jpengar