- changed status to open
Remove validation of sub != client_id in request object
Hello, https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/commits/1261e43db017ed86e61d3442eb75dc9570fe9256 added validation that the sub claim != the client_id claim of the request object which seems like a nice security feature advised by the spec. Unfortunately for me it is only advised by the spec and not required so I think it should be optional in the parsing of an authorization request. Thank you for the consideration. Also, if you could propose any workaround I would be grateful.
Comments (4)
-
-
reporter My personal issue with this has been resolved by updating my client to not pass the same sub and client Id in their jwts so you can probably safely close. This was potentially cumbersome to accomplish which prompted me to raise this issue in desperation. My proposal for things like this might instead be to add more extension points to the library to make it easier to override certain functionality. I feel like the parsing of the authn request object or other jwts and their validation would be better separated. Thank you in any case for a great library.
-
Hi Chris,
Thanks for getting back. I will close this ticket as won’t fix for now. Since JWT request objects and private_key_jwt’s are both weakly typed ( recent specs started adding a
typ
header that must be observed during processing ) and the request object passes through the browser, there is a real danger of impersonation by taking the request object JWT and using it to authenticate at the token endpoint in situations when the claims match sufficiently. -
- changed status to wontfix
- Log in to comment
Hi Chris,
The
client_secret_jwt
andprivate_key_jwt
have these required claims:https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
I suppose we could skip the sub / client_id claim check when iss, aud or jti claims are not present. Let us know what you think about this.