1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Basic - 3.3.4.2 iss parameter processing not specified

Issue #82 resolved
Former user created an issue

Check session response verification does not specify any verification or processing for the "iss" parameter, it is hence effectively optional and ignorable.

Clients should be instructed what to do with its value (or the response parameter removed if not needed).

Comments (5)

  1. hideki nara

    iss must be equal to Server's identifier because iss is REQUIRED in ID Token.

    Anyway, is the way of verifying the ID Token dependent on use cases or protocol flow ? If not, Session Management should define verification of ID Token and be referred by other specs, shouldn't?

  3. Nat Sakimura
    • changed status to open

    Basic must not refer other specs by the requirement. Thus, it should have the description.

    Change

    1. If the authentication request contained a nonce, check that the returned nonce is valid.
    2. Verify that the response was intended for the recipient, using the aud (audience) contained within the response.
    3. If issued_to is present then it MUST contain an identifier for a trusted intermediary. If issued_to is unknown then the assertion MUST be rejected.
    4. Check that the server that responded was really the intended server through a TLS/SSL server certificate check.
    5. The Check Session Endpoint has not returned an error for the token being expired or invalid.

    TO:

    1. Make sure that the TLS connection is made with the intended server.
    2. The Check Session Endpoint has not returned an error for the token being expired or invalid.
    3. Check that the returned nonce is equal to the nonce in the Authorization Request.
    4. Verify that the aud (audience) is the client_id.
  4. Nat Sakimura

    Move the entire response verification section to the Response section and make the verification rules to be as follows.

    1. Make sure that the TLS connection is made with the intended server.
    2. The Check Session Endpoint has not returned an error for the token being expired or invalid.
    3. Check that the iss is equal to that of the pre-configured or discovered Issuer Identifier for the user session.
    4. Check that the returned nonce is equal to the nonce in the Authorization Request.
    5. Verify that the aud (audience) is the client_id.
  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!