Archived 2023.08.11. Content moved to Guidance on Client Authentication
Question
In CDS Client Authentication, there is a requirement that "Data Recipients MUST authenticate Data Holders and the CDR Register using the Self-signed JWT Client Authentication method."
In CDS Private Key JWT Client Authentication, the client_id
is specified as REQUIRED. This does not appear to be part of the OIDC standard. Is client_id
a CDS-specific requirement?
What is the CDS guideline on validating the client_id
parameter sent in a token request?
Should that be validated against the subject
claim value in the client-assertion and rejected if the client_id
in the request is different to the subject
claim in the client-assertion ?
Answer
Section 9 of OIDC pertains to the JWT, signed by the client and presented as the client assertion. The client_id
is sent to identify the confidential client when sending requests to the token endpoint, as part of authenticating its client credentials. See section 3.2.1 of RFC6749. The client_id
is required for requests utilising mutual-TLS client authentication in RFC8705.
The requirements, for passing and validating the client_id
or other required parameters defined in the Private Key JWT client authentication section, apply to any CDS endpoints that require Private Key JWT client authentication.
The client_id
is the value the DH issues to the confidential client (ADR software product) as part of Dynamic Client Registration. The subject in this instance is the confidential client.
The client_id
should be validated against the subject
claim value in the client-assertion and rejected if the client_id
in the request is different to the subject
claim in the client-assertion.
See:
- CDS Authentication flows
- OIDC
- OpenID Connect Discovery Provider Configuration Request
- OAuth 2.0
- FAPI
Comments
0 comments
Please sign in to leave a comment.