Core makes "aud" in request object optional unexpectedly
https://openid.net/specs/openid-connect-core-1_0.html#RequestObject says:
If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value SHOULD be the Client ID of the RP, unless it was signed by a different party than the RP. The aud value SHOULD be or include the OP's Issuer Identifier URL.
I am struggling to understand the logic as to why "aud" is optional?
On a related note, the second part ("The aud value SHOULD be or include the OP's Issuer Identifier URL.") is worded in a way that it appears to conflict with the JWT RFC; if I understand the intent correctly then "If present, the aud value MUST be or include the OP's Issuer Identifier URL" might be clearer.
(This was a previously discussed in the FAPI WG, https://bitbucket.org/openid/fapi/issues/190/aud-should-be-mandatory-in-requests - the FAPI WG currently intends to make aud a MUST)
Comments (5)
-
-
- marked as enhancement
-
assigned issue to
- changed milestone to Ammendment
We could also enhance the Security Considerations on this topic as part of the errata process.
-
reporter I believe I meant to refer to the JWT BCP, https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-04#section-3.9 says:
If the same issuer can issue JWTs that are intended for use by more than one relying party or application, the JWT MUST contain an "aud" (audience) claim that can be used to determine whether the JWT is being used by an intended party or was substituted by an attacker at an unintended party.
-
https://openid.net/specs/openid-connect-core-1_0.html#RequestObject and https://www.rfc-editor.org/rfc/rfc9101.html#section-4 both say that
iss
andaud
SHOULD be included. In retrospect, yes, in both cases we would have been better off with these being MUSTs. We were newer at spec writing in 2011 and had fewer battle scars from watching implementers get things wrong then. :-/ JAR copied the text from Connect Core and we failed to catch it then.We should make these both MUSTs at such time as we publish revisions to either specification.
-
- changed status to open
- Log in to comment
By comparision https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17 also says that "aud" and "iss" SHOULD be included.