Core 5.6.2. Aggregated and Distributed Claims text lacks guidance on signature validation

Comments (10)

1. 

   Michael Jones

   Per the discussion on the list, we should recommend that the issuer value always be included in the resulting JWTs.

   • 2019-03-28T10:19:45+00:00
2. 

   Michael Jones

   • assigned issue to
     
     Michael Jones
   • changed milestone to Errata

   • 2019-03-28T10:20:30+00:00
3. 

   Pawel Kowalik

   One additional aspect in this respect is how Claims Provider shall deal with signing/encryption expectations of the clients which register dynamically at the OP.

   • 2019-05-09T07:20:04+00:00
4. 

   Torsten Lodderstedt reporter

   we need some text about the HTTP method to be used to retrieve distributed claims

   • 2020-01-23T07:34:21+00:00
5. 

   Torsten Lodderstedt reporter

   we need to consider replay protection for aggregated claims, for example an RP could extract the aggregated claims (a JWT) and use it to poss as the legitimate user some place else.

   • 2020-01-24T02:10:16+00:00
6. 

   Marcos Sanz

   I support the initial suggestion to add “JWT SHOULD contain an iss” and modify the examples to include it (the same way we included the “sub”). Would it help to issue a Pull Request with concrete text to start progress on this?

   • 2020-02-25T09:47:35+00:00
7. 

   Nat Sakimura

   • changed status to open

   • 2021-06-15T00:11:39+00:00
8. 

   Michael Jones

   As discussed on the 31-Jul-23 call, I plan to create a PR saying that an “iss” SHOULD be present so that keys can be retrieved for signature validation.

   • 2023-07-31T23:43:23+00:00
9. 

   Michael Jones

   Will be fixed by https://bitbucket.org/openid/connect/pull-requests/596

   • 2023-08-06T20:34:53+00:00
10. 

    Michael Jones

    • changed status to resolved

    https://bitbucket.org/openid/connect/pull-requests/596 merged

    • 2023-08-13T20:07:27+00:00
11. Log in to comment