Basic - issuer + client_id check a MUST in id_token validation
Issue #619
resolved
Since we are not checking sigs in Basic, we need to check it explicitly.
Comments (6)
-
Account Deleted -
-
assigned issue to
- changed status to open
Breno's comments about self-referential makes sense, as do his comments about 4th party interactions.
-
assigned issue to
-
Re
#619Clarified that the client MUST check that the issuer is valid for the token endpoint -
Needs review before closure
-
- marked as minor
- changed title to Basic - issuer + client_id check a MUST in id_token validation
-
- changed status to resolved
Reviewed by Mike. close ticket
- Log in to comment
Let's be careful to indicate that client_id and audience have different meanings in an id_token.
The client_id is to whom the token was issued; the basic recipient MAY restrict that the client_id be always self-referential, but this will prevent it from accepting 4th party use cases such as a token issued to an affiliated mobile app. It's important to call out that the client_id restriction is optional and possibly NOT RECOMMENDED to parties that don't understand the implications for interoperability.
The audience check (ensure that it's self-referential) is absolutely required. That's the MUST.
I used the word self-referential (as opposed as client_id equality testing) on purpose. An application may be represented by multiple client_ids.