From 18f14bec85459fec403f4402a93fc06722230261 Mon Sep 17 00:00:00 2001
From: Eric Murray <eric.murray@vodafone.com>
Date: Tue, 15 Oct 2024 21:25:47 +0100
Subject: [PATCH] Recommend signed authentication requests for CIBA

---
 documentation/CAMARA-Security-Interoperability.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/documentation/CAMARA-Security-Interoperability.md b/documentation/CAMARA-Security-Interoperability.md
index 7744060..f4bda0e 100644
--- a/documentation/CAMARA-Security-Interoperability.md
+++ b/documentation/CAMARA-Security-Interoperability.md
@@ -92,6 +92,8 @@ The parameters `binding_message`, `user_code`, and `requested_expiry` are curren
 
 ### Authentication Request
 
+It is RECOMMENDED that signed authentication requests be used, as specified by [OIDC CIBA Core](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#signed_auth_request). The same key MAY be used for signing the authentication request as is used for [client authentication](#client-authentication).
+
 CIBA allows the client to use login_hint_token, id_token_hint or login_hint as a hint in the authentication request. This CAMARA profile makes the login_hint parameter REQUIRED. The client SHALL specify login_hint (and only login_hint) in the authentication request when using CIBA in a CAMARA context.
 
 The client MUST authenticate with the authorization server as described in [Client Authentication Section](#client-authentication).