SL1 - Is Confidential Client a MUST in OpenID Connect IPSIE SL1 Profile? #61
Description
Aaron currently modeled the initial draft of an IPSIE OIDC profile for SL1 based off FAPI (https://github.com/aaronpk/ipsie-openid-sl1) where Confidential Client is a MUST.
A lot of SSO with OIDC today uses just the claims in the ID Token and doesn't really make use of Access Token for UserInfo endpoint and Refresh Token for the OP. FAPI is specifically trying to profile secure clients to obtain access tokens to highly regulated API endpoints. Access Tokens are the P0 in FAPI.
I could see a valid enterprise scenario where only offline_access with the issuance of a Refresh Token requires a confidential client as long as the tokens are issued via backchannel and access tokens for UserInfo are short-lived (IPSIE can define max lifetime) and protected with DPOP.
If an enterprise RP chooses to implement a public client and willing to use PKCE with a HTTPS callback to their origin that has been registered with the IDP (and verified through IdP's ISV/app boarding processes) and just needs to SSO a user to create a local app session but doesn't need to sync identity data offline or access other secure APIs at the IdP (common for IdPs that are also platforms like Google and Entra+Graph) not needing the overhead of a confidential client for SL1 conformance. Enterprises already need to trust that the RP has correctly implemented TLS to secure the app's traffic. We could define additional DNS/PKI requirements for the RP callback endpoint as we are doing for the OP if we wanted for additional security guarantees.
I would like to better understand why we want to require a confidential client for the SL1 SSO use case. Supporting public clients for SL1 SSO helps the enterprise IMHO by lowering the adoption friction by RPs that may be hosted with different tech stacks, clouds, providers, etc). Securely managing secrets is hard and if a enterprise app doesn't have to manage client credentials for every customer's IdP then there is less to get wrong.