openid / fapi / issues / #191 - JARM: JWT claims iss, aud and exp missing in authz error example — Bitbucket

Issue #191 resolved

Vladimir Dzhuvinov created an issue 2018-11-12

https://openid.net//specs/openid-financial-api-jarm.html#response-type-code

The JWT payload example should include the iss, aud and exp claims:

{
   "error":"access_denied",
   "state":"S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw"
}

Comments (6)

Brian Campbell
Good catch. Pull request #82 would add the iss, aud and exp claims to that example.
- 2018-11-12T20:22:11+00:00
Tom Jones
whatever for? The error messages should give as little information as possible. Stop trying to help the attacker!
- 2018-11-13T20:48:08+00:00
Vladimir Dzhuvinov reporter
@tomcjones How do you see those three JWT claims potentially causing a security problem in a error response?

The iss and aud are essentially public information, and even if they are omitted, they can still be inferred if an attacker intercepted the JWT. The JWT header will likely include a "kid" or by validating the JWT signature, it can be verified who issued it. The client_id is also not something secret.

I find it's the opposite -- if aud and exp are missing, the client cannot be sure if the response isn't being replayed, and this ends up defeating the purpose of JARM.
- 2018-11-19T07:28:16+00:00
Tom Jones
everywhere i go in oauth and openid i get the distinct sense that well known security facts are not understood at all. sigh.
- 2018-11-20T05:40:54+00:00
Nat Sakimura
- changed status to resolved
Merged
- 2018-12-05T15:01:32+00:00
Brian Campbell
pull request #82 was merged at 6178b6a to address this
- 2018-12-05T15:06:17+00:00
Log in to comment

Assignee: –

Type: bug

Priority: trivial

Status: resolved

Component: Others

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!