I concur on this strategy being the one that can rule all the cases [and in the light binds them].
When using CIMD, it must become the source of truth for a client_id and all its possible aliases. Jean-François “Jeff” Lombardo | Amazon Web Services Architecte Principal de Solutions, Spécialiste de Sécurité Principal Solution Architect, Security Specialist Montréal, Canada Commentaires à propos de notre échange? Exprimez-vous ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>. From: Aaron Parecki <[email protected]> Sent: February 20, 2026 12:09 PM To: Emelia S. <[email protected]> Cc: oauth <[email protected]> Subject: [EXT] [OAUTH-WG] Re: IANA OAuth Parameters for SPIFFE Client Authentication CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque. It sounds like the CIMD would publish the `spiffe_id` in the metadata, that way the SPIFFE-ID in the SVID can be validated against the value in the CIMD? That sounds like it would work. On Fri, Feb 20, 2026 at 9:06 AM Emelia S. <[email protected]<mailto:[email protected]>> wrote: > SPIFFE Client Authentication with JWT-SVIDs requires the authorization server > to ensure that the SPIFFE ID in the SVID matches the registered value, but > the specification does not define how this verification is to be performed. > If the spiffe_id client metadata is available, the authorization server can > satisfy this requirement by comparing the registered metadata value with the > SPIFFE ID contained in the SVID. The spiffe_id would mismatch with client_id right? For using it with CIMD? – Emelia On 20 Feb 2026, at 17:57, Takahiko Kawasaki <[email protected]<mailto:[email protected]>> wrote: Hello, SPIFFE-CLIENT-AUTH ISSUE 30: IANA OAuth Parameters for SPIFFE Client Authentication https://github.com/arndt-s/oauth-spiffe-client-authentication/issues/30 I would like to propose the following IANA OAuth Parameters<https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml> for SPIFFE Client Authentication: OAuth Dynamic Client Registration Metadata * spiffe_id * spiffe_bundle_endpoint OAuth Token Endpoint Authentication Methods * spiffe_jwt * spiffe_x509 Rationale for spiffe_id SPIFFE Client Authentication with JWT-SVIDs requires the authorization server to ensure that the SPIFFE ID in the SVID matches the registered value, but the specification does not define how this verification is to be performed. If the spiffe_id client metadata is available, the authorization server can satisfy this requirement by comparing the registered metadata value with the SPIFFE ID contained in the SVID. Rationale for spiffe_bundle_endpoint Because the location of the SPIFFE Bundle Endpoint cannot be inferred from the SPIFFE ID or the SVID, it must be preconfigured. However, the specification does not define how this configuration is to be performed. If the spiffe_bundle_endpoint client metadata is available, the authorization server can use it to store the preconfigured value. Rationale for spiffe_jwt and spiffe_x509 The token_endpoint_auth_method client metadata and the token_endpoint_auth_methods_supported server metadata require identifiers representing the new client authentication methods defined by this specification. Best Regards, Taka @ Authlete _______________________________________________ OAuth mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> _______________________________________________ OAuth mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
