1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Requirement for Binding between IA's claim set subject and IdA's ID Token subject

Issue #1300 new
Edmund Jay created an issue

Comments from TL regarding for pull request #39

https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238238135

Torsten Lodderstedt 2021-07-24

I think this is a much to strong requirement. See above: the fact the user has successfully authenticated with both entities typically suffices.

Nat Sakimura 2021-08-09

How does CC find that the claimset has been obtained through the act of active authentication towards the IA? The attacker may have obtained the claimset as a CC before and replaying it.

Tobias Looker 2021-08-09

But if those events cannot be linked appropriately then the delegation occurring between IA to the IdA cannot be validated. Essentially because the IdA is presenting claims on behalf of the IA the RP must be able to validate this.

Comments (0)

  1. Log in to comment
Assignee
Type
bug
Priority
major
Status
new
Component
Claims Aggregation
Milestone
Version
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!