openid / connect / issues / #619 - Basic - issuer + client_id check a MUST in id_token validation — Bitbucket

Issue #619 resolved

Nat Sakimura created an issue 2012-07-14

Since we are not checking sigs in Basic, we need to check it explicitly.

Comments (6)

Former user Account Deleted
Let's be careful to indicate that client_id and audience have different meanings in an id_token.

The client_id is to whom the token was issued; the basic recipient MAY restrict that the client_id be always self-referential, but this will prevent it from accepting 4th party use cases such as a token issued to an affiliated mobile app. It's important to call out that the client_id restriction is optional and possibly NOT RECOMMENDED to parties that don't understand the implications for interoperability.

The audience check (ensure that it's self-referential) is absolutely required. That's the MUST.

I used the word self-referential (as opposed as client_id equality testing) on purpose. An application may be represented by multiple client_ids.
- 2012-07-14T23:11:19+00:00
Michael Jones
- assigned issue to
  
  John Bradley
- changed status to open
Breno's comments about self-referential makes sense, as do his comments about 4th party interactions.
- 2012-07-19T14:28:46+00:00
John Bradley
Re ~~#619~~ Clarified that the client MUST check that the issuer is valid for the token endpoint

→ a24b91424377
- 2012-09-24T13:03:35+00:00
Michael Jones
Needs review before closure
- 2012-12-04T00:04:43+00:00
John Bradley
- marked as minor
- changed title to Basic - issuer + client_id check a MUST in id_token validation
- 2013-01-07T23:34:33+00:00
John Bradley
- changed status to resolved
Reviewed by Mike. close ticket
- 2013-01-16T22:05:13+00:00
Log in to comment

Assignee: John Bradley

Type: bug

Priority: minor

Status: resolved

Component: –

Milestone: –

Version: –

Votes: 0

Watchers: 0

Jira Software: the preferred issue tracker for Bitbucket. Join the team!