Replies: 1 comment 4 replies
-
|
@panva can you share more about the rationale for this change? Unfortunately this was very much a breaking change for us, and it's a shame to see it was released in a patch version. From my read of the OIDC spec (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.9), under "9. Client Authentication", "private_key_jwk", |
Beta Was this translation helpful? Give feedback.
-
Unfortunately, it had to be done.
A future not yet disclosed one.
If needed this can be reverted using the
It's not that simple. The specs are layered in such a way that the issuer identifier is also a valid value for an AS to accept. |
Beta Was this translation helpful? Give feedback.
-
|
Sure, thankfully it was an easy enough fix (once we realized what was going wrong, which took a few days): PrairieLearn/PrairieLearn#11038. I appreciate the pointer in the commit message. Is this related to a vulnerability that hasn't been publicly disclosed yet? I can understand if you can't say more at this time, but otherwise the secrecy/caginess here is unexpected from this project. Regardless, I appreciate the work you do in maintaining this library. Thank you. |
Beta Was this translation helpful? Give feedback.
-
I buy that; I'm definitely not very well versed in the spec, this is just what I found with a quick read. For my own edification, do you know offhand what other pieces of the spec apply here? |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Refactor
Note: If needed this can be reverted using the
extras.clientAssertionPayloadoption.This discussion was created from the release v5.7.1.
Beta Was this translation helpful? Give feedback.
All reactions