1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Core makes "aud" in request object optional unexpectedly

Issue #1059 open
Joseph Heenan created an issue

https://openid.net/specs/openid-connect-core-1_0.html#RequestObject says:

If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value SHOULD be the Client ID of the RP, unless it was signed by a different party than the RP. The aud value SHOULD be or include the OP's Issuer Identifier URL.

I am struggling to understand the logic as to why "aud" is optional?

On a related note, the second part ("The aud value SHOULD be or include the OP's Issuer Identifier URL.") is worded in a way that it appears to conflict with the JWT RFC; if I understand the intent correctly then "If present, the aud value MUST be or include the OP's Issuer Identifier URL" might be clearer.

(This was a previously discussed in the FAPI WG, https://bitbucket.org/openid/fapi/issues/190/aud-should-be-mandatory-in-requests - the FAPI WG currently intends to make aud a MUST)

Comments (5)

  4. Michael Jones

    https://openid.net/specs/openid-connect-core-1_0.html#RequestObject and https://www.rfc-editor.org/rfc/rfc9101.html#section-4 both say that iss and aud SHOULD be included. In retrospect, yes, in both cases we would have been better off with these being MUSTs. We were newer at spec writing in 2011 and had fewer battle scars from watching implementers get things wrong then. :-/ JAR copied the text from Connect Core and we failed to catch it then.

    We should make these both MUSTs at such time as we publish revisions to either specification.

  6. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
open
Component
Core
Milestone
Ammendment
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!