camaraproject · AxelNennker · Jan 23, 2025 · Jan 20, 2025 · Jan 21, 2025 · Jan 23, 2025
@@ -10,6 +10,7 @@
     * [Transport Security](#transport-security)
     * [Sender-Constrained Tokens](#sender-constrained-tokens)
   * [OIDC Authorization Code Flow](#oidc-authorization-code-flow)
+    * [Signed Authentication Requests](#signed-authentication-requests)
     * [Optional Parameters](#optional-parameters)
     * [Cross-Site Request Forgery Protection](#cross-site-request-forgery-protection)
   * [Client-Initiated Backchannel Authentication Flow](#client-initiated-backchannel-authentication-flow)
@@ -100,6 +101,20 @@ The following table defines the REQUIRED behaviour of the API Provider for the `
 
 The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html)
 
+### Signed Authentication Requests
+
+It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication). In addition, this document defines that:
+  * Values for the mandatory parameters `scope`, `response_type`, `client_id` and `redirect_uri` MUST be included using the OAuth2.0 request syntax. The values for these parameters MUST match those in the signed request object.
+  * For all other parameters, the authorization server MUST only use the parameters contained in the signed request object. 
+
+It is RECOMMENDED that the value of the `aud` field of the signed authentication request is the URL of the [Authorization Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+The authorization server MAY accept different values of the `aud` field e.g. the `issuer` field of its [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). 
+The authorization server MUST check the value of the `aud` field and reject signed authentication requests if the value of the `aud` is not associated with the authorization server.
+
+Note: Care must be taken in a multi-tenant environment that a signed authentication request for one tenant is not accepted at another tenant endpoint.
+
+Note: The [Security Considerations](https://www.rfc-editor.org/rfc/rfc9101.html#section-10) of RFC9191 apply. It is recommended that the API consumer never includes a `sub` field in the signed request object, because otherwise the signed request object might be used for client authentication. For security reasons the endpoint receiving the request is explicitly named in the `aud` field.
+
 ### Optional Parameters
 
 The OIDC Authentication Request defines login_hint as an OPTIONAL request parameter. CAMARA does not define a specific handling for this parameter in OIDC Authorization Code Flow. To ensure better interoperability, CAMARA clarifies that, if login_hint parameter is present in the authentication request and the authorization server does not support it, it MAY ignore it. It is RECOMMENDED that the authorization server does not return an error if the login_hint is not supported.