1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

IDTokenClaimsVerifier fails to verify some scenario regarding audience and authorized party

Issue #263 resolved
Connect2id OSS created an issue

Originally posted in JOSE+JWT issues:

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/299/idtokenclaimsverifier-fails-to-verify-some

Michał Bojanowski created an issue 2019-02-15

IDTokenClaimsVerifier fails to verify scenario where audience has multiple values but authorized party is null

From oidc specs I think it a BadJWTException should be thrown when its null. "If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present. If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value."

Also, when audience contains single value BUT azp is also present, it's not verified that azp is equal to expected client id. Comments (1)

Connect2id Support

Just noting this here, because the current OIDC spec isn't also entirely clear:

https://bitbucket.org/openid/connect/issues/1009/contradictory-statements-about-id-token

Comments (1)

  2. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!