1. the `dpop_jkt` parameter in the OpenID Connect Authentication Request
2. the `DPoP` header in the Token Request to the `token_endpoint`
3. the `cnf` claim containing the public key in the returned ID Token
In step 3 is the Token_Endpoint checking that the DPoP header verifies under public key specified by dpop_jkt? This seems like it would prevent rogue key attacks because the very fact that the user has an ID Token with the cnf value proves it has DPoP of the signing key. Am I reading this correctly?
What does the RP sign? In OpenPubkey we have the RP sign the ID Token itself after issuance, but that adds a second signature to the ID Token.
Is there any value in having the RP sign the claims of the ID Token so that it can ensure that the ID Token it is binding the JWK to contains the identity it expects?
Is there a missing step here?
+------+ +------+
| |-- Authentication Request --->| |
| RP | (1) dpop_jkt parameter | OP |
| | | |
| |<- (2) nonce -----------------| |
| | | |
| |-- Token Request ------------>| |
| | (3) DPoP header | |
| | | |
| |<-- Token Response -----------| |
| | (4) cnf claim containing | |
| | the public key in ID Token | |
+------+ +------+
In step 3 is the Token_Endpoint checking that the DPoP header verifies under public key specified by
dpop_jkt? This seems like it would prevent rogue key attacks because the very fact that the user has an ID Token with the cnf value proves it has DPoP of the signing key. Am I reading this correctly?What does the RP sign? In OpenPubkey we have the RP sign the ID Token itself after issuance, but that adds a second signature to the ID Token.
Is there any value in having the RP sign the claims of the ID Token so that it can ensure that the ID Token it is binding the JWK to contains the identity it expects?
Is there a missing step here?