It sounds like the CIMD would publish the `spiffe_id` in the metadata, that way the SPIFFE-ID in the SVID can be validated against the value in the CIMD? That sounds like it would work.
On Fri, Feb 20, 2026 at 9:06 AM Emelia S. <emelia= [email protected]> wrote: > > SPIFFE Client Authentication with JWT-SVIDs requires the authorization > server to ensure that the SPIFFE ID in the SVID matches the registered > value, but the specification does not define how this verification is to be > performed. If the spiffe_id client metadata is available, the > authorization server can satisfy this requirement by comparing the > registered metadata value with the SPIFFE ID contained in the SVID. > > The spiffe_id would mismatch with client_id right? For using it with CIMD? > > – Emelia > > > On 20 Feb 2026, at 17:57, Takahiko Kawasaki <[email protected]> wrote: > > Hello, > > *SPIFFE-CLIENT-AUTH ISSUE 30: IANA OAuth Parameters for SPIFFE Client > Authentication* > https://github.com/arndt-s/oauth-spiffe-client-authentication/issues/30 > > I would like to propose the following IANA OAuth Parameters > <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml> for > SPIFFE Client Authentication: > OAuth Dynamic Client Registration Metadata > > - spiffe_id > - spiffe_bundle_endpoint > > OAuth Token Endpoint Authentication Methods > > - spiffe_jwt > - spiffe_x509 > > Rationale for spiffe_id > > SPIFFE Client Authentication with JWT-SVIDs requires the authorization > server to ensure that the SPIFFE ID in the SVID matches the registered > value, but the specification does not define how this verification is to be > performed. If the spiffe_id client metadata is available, the > authorization server can satisfy this requirement by comparing the > registered metadata value with the SPIFFE ID contained in the SVID. > Rationale for spiffe_bundle_endpoint > > Because the location of the SPIFFE Bundle Endpoint cannot be inferred from > the SPIFFE ID or the SVID, it must be preconfigured. However, the > specification does not define how this configuration is to be performed. If > the spiffe_bundle_endpoint client metadata is available, the > authorization server can use it to store the preconfigured value. > Rationale for spiffe_jwt and spiffe_x509 > The token_endpoint_auth_method client metadata and the > token_endpoint_auth_methods_supported server metadata require identifiers > representing the new client authentication methods defined by this > specification. > > Best Regards, > Taka @ Authlete > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
