Core makes "aud" in request object optional unexpectedly
https://openid.net/specs/openid-connect-core-1_0.html#RequestObject says:
If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value SHOULD be the Client ID of the RP, unless it was signed by a different party than the RP. The aud value SHOULD be or include the OP's Issuer Identifier URL.
I am struggling to understand the logic as to why "aud" is optional?
On a related note, the second part ("The aud value SHOULD be or include the OP's Issuer Identifier URL.") is worded in a way that it appears to conflict with the JWT RFC; if I understand the intent correctly then "If present, the aud value MUST be or include the OP's Issuer Identifier URL" might be clearer.
(This was a previously discussed in the FAPI WG, https://bitbucket.org/openid/fapi/issues/190/aud-should-be-mandatory-in-requests - the FAPI WG currently intends to make aud a MUST)
Comments (3)
-
-
- marked as enhancement
-
assigned issue to
- changed milestone to Ammendment
We could also enhance the Security Considerations on this topic as part of the errata process.
-
reporter I believe I meant to refer to the JWT BCP, https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-04#section-3.9 says:
If the same issuer can issue JWTs that are intended for use by more than one relying party or application, the JWT MUST contain an "aud" (audience) claim that can be used to determine whether the JWT is being used by an intended party or was substituted by an attacker at an unintended party.
- Log in to comment
By comparision https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17 also says that "aud" and "iss" SHOULD be included.