possible type confusion with distributed/aggregated claims
Issue #1331
resolved
As originally mentioned on https://bitbucket.org/openid/ekyc-ida/pull-requests/144#comment-340866589 the JWS for distributed/aggregated claims the recommendation in the JWT BCP say we should try to make sure these objects can’t be confused with other JWS objects.
e.g. As the object contains iss & sub, it can potentially be confused with an id_token (and that would be bad, as someone obtaining the claim object may then be able to use it as an id_token at services that allow id_tokens from that issuer to be used/exchanges for other things).
This could be avoided by explicitly saying that these objects must not contain exp / aud, which would mean they can’t be valid id tokens.
Additionally, defining an explicit value to be used in the typ header would probably also make sense.
Comments (9)
-
-
reporter
I think prohibiting
exp/audis pivotal to preventing type confusion with id tokens, as the id token validation rules don't include checkingtyp. -
- changed status to resolved
Fix Issue
#1331→ <<cset 8f0ef20e1c67>>
-
- changed status to open
-
- changed status to resolved
Merged in danielfett/fix-1331 (pull request #148)
Fix Issue
#1331Approved-by: Joseph Heenan Approved-by: Mark Haine
→ <<cset 64389ac707b5>>
-
reporter
re: typ header; we can copy from how it’s registered in dpop https://github.com/danielfett/draft-dpop/blob/master/main.md#media-type-registration
The name would start application/ (which is omitted when used in a typ header) and end +jwt.
Possibly something like application/detachedclaims+jwt but the name probably needs further thought.
-
reporter
- changed status to open
-
being addressed by PR#149
-
- changed status to resolved
- Log in to comment
+1 for
typ. I guess prohibitingexpandaudalso makes sense.