Replies: 1 comment 6 replies
-
|
@panva can you share more about the rationale for this change? Unfortunately this was very much a breaking change for us, and it's a shame to see it was released in a patch version. From my read of the OIDC spec (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.9), under "9. Client Authentication", "private_key_jwk", |
Beta Was this translation helpful? Give feedback.
-
|
Sure, thankfully it was an easy enough fix (once we realized what was going wrong, which took a few days): PrairieLearn/PrairieLearn#11038. I appreciate the pointer in the commit message. Is this related to a vulnerability that hasn't been publicly disclosed yet? I can understand if you can't say more at this time, but otherwise the secrecy/caginess here is unexpected from this project. Regardless, I appreciate the work you do in maintaining this library. Thank you. |
Beta Was this translation helpful? Give feedback.
-
I buy that; I'm definitely not very well versed in the spec, this is just what I found with a quick read. For my own edification, do you know offhand what other pieces of the spec apply here? |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
@panva are you able to share the relevant parts of the spec now? I'd like to forward them to platforms that my product works with so that they can update their implementation to accept their issuer string. |
Beta Was this translation helpful? Give feedback.
-
|
The working group will work with this I-D as initial input for the updates https://datatracker.ietf.org/doc/html/draft-jones-oauth-rfc7523bis-00 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Refactor
Note: If needed this can be reverted using the
extras.clientAssertionPayloadoption.This discussion was created from the release v5.7.1.
Beta Was this translation helpful? Give feedback.
All reactions