Vulnerability in OpenID Connect

As a consequence of a vulnerability in OpenID Connect, changes have been made for the use of the parameter private_key_jwt, which in HelseID is used for client authentication.The changes are being established as a new specification that obsoletes RFC7523, and updates RFC7521 og RFC9126.

The vulnerability can be exploited by an attacker, that in some situations can control values in the Audience Claim in the client_assertion parameter, sent by the Client, to both PAR and Token endpoints in HelseID
The vulnerability can let an attacker pretend itself to be a legitimate Client
Several assumtions must be fulfilled in order to create a valid attack, and we consider the probability for misuse as low
No known attacks of this type have yet been discovered.

The parameter private_key_jwt is the only way to authenticate a client configuration for HelseID, and therefore all client systems must make changes, either in code and/or in configuration. The changes that a provider must make to mitigate the vulnerability are the following:

The aud claim in the JWT token provided from the client to HelseID in the client_assertion parameter must always have the value https://helseid-sts.nhn.no in production and https://helseid-sts.test.nhn.no in test. No other values will be accepted. Some vendors may have used other values, and must therefore check that the client system is consistent with the accepted values. This is a new change to the specification that obsoletes any other types of values.
The typ header in the JWT token provided from the client to HelseID in the client_assertion parameter must always have the value client-authentication+jwt. No other values will be accepted. This is a new change to the specification.

A client_assertion can look like this, notice the typ and aud values:

{
  "alg": "RS256",
  "kid": "AE16FAAAAAC3E5998BD19CB895DB95E9",
  "typ": "client-authentication+jwt"
}.{
  "sub": "YOUR CLIENT ID",
  "iat": 1677743803,
  "jti": "892ba3d44a37411ebc92482234176157",
  "nbf": 1677743803,
  "exp": 1677743863,
  "iss": "YOUR CLIENT ID",
  "aud": "https://helseid-sts.test.nhn.no"
}.[Signature]

These values are described in the document Using Client Assertions for client authentication in HelseID.

This is a breaking change that will require adjustments (in code or configuration) in all client systems. For security reasons, HelseID will plan the changes during June 2025. In the TEST environment, the change will be introduced during April.

Vulnerability in OpenID Connect

This is a breaking change that will require adjustments (in code or configuration) in all client systems. For security reasons, HelseID will plan the changes during June 2025. In the TEST environment, the change will be introduced during April.

We also recommend that all vendors who has not implemented PAR and DPoP also implement these security measures.