-
assigned issue to
Nat Sakimura
- changed status to open
Basic profile missing reference to id_token definition
Issue #618
resolved
Section 2.3 (ID Token verification) of the basic profile details how to verify claims such as exp, iat, and aud in the id token but nowhere in the basic profile is there a definition of what exp, iat and aud actually look like.
Suggest that we add a reference at the end of section 2.3 of the basic profile that refers readers to the Messages spec section 2.1.1 for more information about the claims within the id_token.
Comments (6)
-
-
We do not need to do the full check. What is the check that we need to do here?
-
Account Deleted
Hi Nat,
it isn't that a check is necessary - it's just that there is no place in the basic profiles where the claims that are part of the id_token are explained. So when a user is reading section 2.3 of the basic profile, they are told to operate on a claim called exp, but there is no explanation of what exp (or aud or iss or iat) actually represents unless the reader searches all the documents and finds section 2.1.1 of the messages specification.
-
- changed component to Basic
- edited description
-
Actually, it seems it has been fixed in the draft 20. 44411b2b8894
It was fixed as a part of
#603. -
- changed status to resolved
- Log in to comment
We will add the info, not reference Messages. We should also do the same thing in Implicit.