Conflicting requirement on request object signature

[frederikrothenberger]

Hi

The standard says in section 5.10.4:

• redirect_uri: This value indicates that the Client Identifier (without the prefix redirect_uri:) is the Verifier's Redirect URI (or Response URI when Response Mode direct_post is used). The Authorization Request MUST NOT be signed.

The requirement on the absence of a signature seems to be in conflict with the requirement from section 5.11.1 if combined with the request_uri parameter:

The Request URI response MUST be an HTTP response with the content type "application/oauth-authz-req+jwt" and the body being a signed, optionally encrypted, request object as defined in [RFC9101].

So, is there a signature required on the request object returned from the request_uri resource if the client_id_scheme is redirect_uri?

[Sakurann]

I think the intention is that client identifier scheme redirect_uri cannot be used with RFC9101 since rfc9101 does not allow alg = none. clarified in #403

[c2bo]

I agree this needs to be formulated a bit clearer:

• I am under the impression that JAR allows alg=none
• we say the object is signed and optionally encrypted -> this would imply alg=none is not allowed - but the statement is not very clear

If we want alg=none to not be allowed for the Request Object, then we should be clearer

If we want to allow alg=none (which I do believe at least some implementations do or did), then we should change the sentence to something like

The Request URI response MUST be an HTTP response with the content type "application/oauth-authz-req+jwt" and the body being a Request Object as defined in [RFC9101] that can be signed and encrypted.

relevant issue #292

[tlodderstedt]

JAR does require implementations to refuse processing of request objects if alg in none.

We should keep it that way.

[c2bo]

Isn't that only true in the context of the metadata parameter require_signed_request_object=true? alg=none would be allowed if require_signed_request_object is omitted or false. Perhaps I am misunderstanding the RFC, but I would currently understand it as if require_signed_request_object is false or omitted, then there could be a request object with alg=none.

For the problem at hand (a request with redirect_uri (=unsigned) & request_uri) that would allow alg=none. I am also pretty sure I have seen implementations in the past that worked that way with redirect_uri.
I agree that we should probably not allow/encourage the use of alg=none, but I don't think it is clear enough with the current wording.

[jogu]

Agree with Christian here, JAR allows alg none by default and there is no text in VP that disallows it. As I said on #403 the conformance tests support alg none for this and a number of people do seem to be using it when testing. We shouldn't rush to make a breaking change here.

I'm pretty sure HAIP already disallows alg none (by requiring x509_san_dns) which seems right/sufficient.

[awoie]

I also agree with @jogu and @c2bo. I don't like alg=none but we should not make a breaking change.