Authorization code binding to client instance

[cobward]

Currently, section 5.2 "Refresh token binding" gives requirements for how an authorization server must bind the client instance to the refresh token. Could we reuse this mechanism to bind the authorization code to the client instance in the case that client auth was performed in the authorization request?

[tplooker]

@cobward do you mean in the event we are using something like a signed PAR request?

[paulbastian]

If I understand you correctly, you get a similar set of assurances like with PKCE, so I'm unsure if we want to duplicate this mechanism.

[cobward]

@cobward do you mean in the event we are using something like a signed PAR request?

I'm not sure that it only applies to signed PAR request. I mean just generally that if client authentication is required at the authorization endpoint then the same requirements of binding the client instance to the authorization code still apply.

If I understand you correctly, you get a similar set of assurances like with PKCE, so I'm unsure if we want to duplicate this mechanism.

If that is the case then would it make sense to add text to that effect? Something along the lines of:

The Authorization Server is not required to bind the client instance to the authorization code, as PKCE provides sufficient mitigation of security risks.

[jogu]

PKCE is actually a weaker mechanism, and DPoP has mechanisms that provide additional security that Pieter nicely explains here: https://bitbucket.org/openid/fapi/issues/503/dpop-par-and-authorization-code-binding#comment-63863178

However the current draft also doesn't say anything about using PKCE. It probably should?

I think it also needs to be explicitly called out in security considerations that the authorization code is NOT bound to the client instance. I think that's probably a significant change in the security model compared to normal client authentication, and PKCE and/or the above DPoP binding of the authorization code are both potential mitigations.

[panva]

However the current draft also doesn't say anything about using PKCE. It probably should?

Refs: #113

I think it also needs to be explicitly called out in security considerations that the authorization code is NOT bound to the client instance. I think that's probably a significant change in the security model compared to normal client authentication, and PKCE and/or the above DPoP binding of the authorization code are both potential mitigations.

Refs: #114 there's more that could be bound to the client instance than just the auth code when using PAR.

[tplooker]

FYI this is being addressed by #149