Hi Aaron, Yes, what I expect the Client ID Metadata Document to contain is as follows:
"token_endpoint_auth_method": "spiffe_jwt" or "spiffe_x509", "spiffe_id": "spiffe://example.org/my-oauth-client", "spiffe_bundle_endpoint": "https://example.org/bundle"; On Sat, Feb 21, 2026 at 2:17 AM Lombardo, Jeff <jeffsec= [email protected]> wrote: > I concur on this strategy being the one that can rule all the cases [and > in the light binds them]. > > When using CIMD, it must become the source of truth for a client_id and > all its possible aliases. > > > > *Jean-François “Jeff” Lombardo* | Amazon Web Services > > > > Architecte Principal de Solutions, Spécialiste de Sécurité > Principal Solution Architect, Security Specialist > Montréal, Canada > > *Commentaires à propos de notre échange? **Exprimez-vous **ici* > <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$> > *.* > > > > *Thoughts on our interaction? Provide feedback **here* > <https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$> > *.* > > > > *From:* Aaron Parecki <[email protected]> > *Sent:* February 20, 2026 12:09 PM > *To:* Emelia S. <[email protected]> > *Cc:* oauth <[email protected]> > *Subject:* [EXT] [OAUTH-WG] Re: IANA OAuth Parameters for SPIFFE Client > Authentication > > > > *CAUTION*: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > *AVERTISSEMENT*: Ce courrier électronique provient d’un expéditeur > externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous > ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas > certain que le contenu ne présente aucun risque. > > > > It sounds like the CIMD would publish the `spiffe_id` in the metadata, > that way the SPIFFE-ID in the SVID can be validated against the value in > the CIMD? That sounds like it would work. > > > > On Fri, Feb 20, 2026 at 9:06 AM Emelia S. <emelia= > [email protected]> wrote: > > > SPIFFE Client Authentication with JWT-SVIDs requires the authorization > server to ensure that the SPIFFE ID in the SVID matches the registered > value, but the specification does not define how this verification is to be > performed. If the spiffe_id client metadata is available, the > authorization server can satisfy this requirement by comparing the > registered metadata value with the SPIFFE ID contained in the SVID. > > The spiffe_id would mismatch with client_id right? For using it with CIMD? > > > > – Emelia > > > > > > On 20 Feb 2026, at 17:57, Takahiko Kawasaki <[email protected]> wrote: > > > > Hello, > > > > *SPIFFE-CLIENT-AUTH ISSUE 30: IANA OAuth Parameters for SPIFFE Client > Authentication* > > https://github.com/arndt-s/oauth-spiffe-client-authentication/issues/30 > > > > I would like to propose the following IANA OAuth Parameters > <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml> for > SPIFFE Client Authentication: > OAuth Dynamic Client Registration Metadata > > - spiffe_id > - spiffe_bundle_endpoint > > OAuth Token Endpoint Authentication Methods > > - spiffe_jwt > - spiffe_x509 > > Rationale for spiffe_id > > SPIFFE Client Authentication with JWT-SVIDs requires the authorization > server to ensure that the SPIFFE ID in the SVID matches the registered > value, but the specification does not define how this verification is to be > performed. If the spiffe_id client metadata is available, the > authorization server can satisfy this requirement by comparing the > registered metadata value with the SPIFFE ID contained in the SVID. > Rationale for spiffe_bundle_endpoint > > Because the location of the SPIFFE Bundle Endpoint cannot be inferred from > the SPIFFE ID or the SVID, it must be preconfigured. However, the > specification does not define how this configuration is to be performed. If > the spiffe_bundle_endpoint client metadata is available, the > authorization server can use it to store the preconfigured value. > Rationale for spiffe_jwt and spiffe_x509 > > The token_endpoint_auth_method client metadata and the > token_endpoint_auth_methods_supported server metadata require identifiers > representing the new client authentication methods defined by this > specification. > > > > Best Regards, > > Taka @ Authlete > > > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- *Takahiko Kawasaki* Co-Founder [email protected] [image: Authlete] authlete.com <https://www.authlete.com/> |Linkedin <https://www.linkedin.com/company/authlete/>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
