- changed title to Claims endpoint response JWS 'sub' claim value set by request is problematic
- changed component to Claims Aggregation
- edited description
9.4.2 Claims endpoint response JWS 'sub' claim value set by request is problematic
Comments from TL regarding for pull request #39
https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238241112
Torsten Lodderstedt 2021-07-24
I consider this highly problematic. It means the IA asserts a sub value it does not know since it was provided in the request. The sub should contain the sub value at the IA for the user / CC combination.
Comments (4)
-
reporter -
- changed title to 9.4.2 Claims endpoint response JWS 'sub' claim value set by request is problematic
- edited description
This is a point that requires a lot of discussions. The difficulty here is that the IA should not know who is the CC in many cases. (e.g., DMV should not know to which liquor store I am presenting the proof of the overage.)
I also agree that this together with the
op_iss
above is a trust-related topic that needs rework. -
-
assigned issue to
-
assigned issue to
-
I consider this highly problematic. It means the IA asserts a sub value it does not know since it was provided in the request
I think the mitigation that would have to be present here to prevent several potential attacks is to require the sub value provided by the IA to the CA to be cryptographic in nature e.g a public key or a derivative of a public key like a thumbprint for which an accompanying proof of possession must also be provided.
- Log in to comment