- changed status to resolved
IDTokenClaimsVerifier fails to verify some scenario regarding audience and authorized party
Issue #263
resolved
Originally posted in JOSE+JWT issues:
Michał Bojanowski created an issue 2019-02-15
IDTokenClaimsVerifier fails to verify scenario where audience has multiple values but authorized party is null
From oidc specs I think it a BadJWTException should be thrown when its null. "If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present. If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value."
Also, when audience contains single value BUT azp is also present, it's not verified that azp is equal to expected client id. Comments (1)
Connect2id Support
Just noting this here, because the current OIDC spec isn't also entirely clear:
https://bitbucket.org/openid/connect/issues/1009/contradictory-statements-about-id-token
Comments (1)
-
- Log in to comment
Fix: 6d537177 (9.0)