Core 5.6.2. Aggregated and Distributed Claims text lacks guidance on signature validation
Section 5.6.2 of the OpenID Connect Core spec does not specify how the RP is supposed to check the signature of a nested JWT containing aggregated claims.
Based on a discussion on the list, I suggest to add text that the JWT SHOULD contain an iss claim which is used to obtain the other claims provider’s JWKS URI.
Comments (10)
-
-
-
assigned issue to
- changed milestone to Errata
-
assigned issue to
-
One additional aspect in this respect is how Claims Provider shall deal with signing/encryption expectations of the clients which register dynamically at the OP.
-
reporter we need some text about the HTTP method to be used to retrieve distributed claims
-
reporter we need to consider replay protection for aggregated claims, for example an RP could extract the aggregated claims (a JWT) and use it to poss as the legitimate user some place else.
-
I support the initial suggestion to add “JWT SHOULD contain an iss” and modify the examples to include it (the same way we included the “sub”). Would it help to issue a Pull Request with concrete text to start progress on this?
-
- changed status to open
-
As discussed on the 31-Jul-23 call, I plan to create a PR saying that an “iss” SHOULD be present so that keys can be retrieved for signature validation.
-
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/596
-
- changed status to resolved
- Log in to comment
Per the discussion on the list, we should recommend that the issuer value always be included in the resulting JWTs.