IDTokenClaimsVerifier fails to verify some scenario regarding audience and authorized party
Issue #299
invalid
IDTokenClaimsVerifier fails to verify scenario where audience has multiple values but authorized party is null
From oidc specs I think it a BadJWTException should be thrown when its null. "If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present. If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value."
Also, when audience contains single value BUT azp is also present, it's not verified that azp is equal to expected client id.
Comments (2)
-
-
- changed status to invalid
This issue is related to the OIDC SDK, moved there:
- Log in to comment
Just noting this here, because the current OIDC spec isn't also entirely clear:
https://bitbucket.org/openid/connect/issues/1009/contradictory-statements-about-id-token