- changed status to invalid
OpenID Connect Federation 1.0: requred header "typ" not stated in Resolve Response specifications
Issue #416
invalid
The class ResolveStatement (package com.nimbusds.openid.connect.sdk.federation.api) is based on section 7.2.2 (Resolve Response) of https://openid.net/specs/openid-connect-federation-1_0.html.
Its method verifySignature(final JWKSet jwkSet) (in addition to other things) verifies that the typ header is equal to resolve-response+jwt, but this is not explicitly stated in the specifications linked above (while it is, for example, for Entity Statement in section 3.1).
Comments (3)
-
-
Filed ticket to the spec:
https://bitbucket.org/openid/connect/issues/1815/federation-resolve-response-clarify-the
-
reporter
Thanks for your replies. Hope the ticket you opened will make this specification clearer for everybody
- Log in to comment
All JWTs in OIDC Federation 1.0 are supposed to be typed (typ:"...").
https://bitbucket.org/openid/connect/issues/1630/federation-explicitly-type-jwts-returned
The language in the "resolve response" is not 100% clear about this, perhaps this will need a fix in the Federation 1.0 spec.