There didn’t seem to be support for having cnf contain array values. Instead,
as discussed in the thread “[OAUTH-WG] JWT PoP Key Semantics WGLC followup 3
(was Re: confirmation model in proof-of-possession-02)”, if different keys are
being confirmed, they can define additional claims other than “cnf” using the
same structure as “cnf” to represent those confirmations. Indeed, those other
claims could be array-valued, if appropriate. The reasons for having a
structured “cnf” claim, rather than a set of flattened claim values, were also
discussed in that thread.
Thanks again,
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of Brian Campbell
Sent: Monday, March 23, 2015 9:07 AM
To: oauth
Subject: [OAUTH-WG] confirmation model in proof-of-possession-02
This is mostly about section
3.4<https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3.4>
but also the whole draft.
If "cnf" is intended to analogous to the SAML 2.0 SubjectConfirmation element,
it should probably contain an array value rather than an object value. SAML
allows not just for multiple methods of confirming but for multiple instances
of the same method. IIRC, only one confirmation needs to be confirmable.
I'm not sure the extra complexity is worth it though. I've rarely, if ever,
seen SAML assertions that make use of it.
If the intent is just to allow for different kinds of confirmation, couldn't
the structure be pared down and simplified and just have individual claims for
the different confirmation types? Like "cjwk" and "ckid" or similar that have
the jwk or kid value respectively as the member value.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
