new certification check: aud in client assertions is issuer
Issue #398
resolved
For the FAPI WG’s information, the certification team intend to add a new test to the FAPI-RW, FAPI1-Advanced and FAPI-CIBA test suite that sends the aud in the client assertion to the token endpoint as the OP's issuer (whereas normally aud is the token endpoint as per OIDCC). If this test fails, a warning will be issued.
This is a step towards improving interoperability in this area, see https://bitbucket.org/openid/connect/issues/1213/private_key_jwt-client_secret_jwt-audience#comment-60234935 and https://gitlab.com/openid/conformance-suite/-/issues/877 for further background.
As the test only issues a warning, failing the new test will not prevent anyone certifying - so this is viewed as a low impact change. The change will likely roll out in a few weeks time.
Comments (9)
-
-
- changed status to open
-
leave open until the test is added
-
@joseph has this test been added yet?
-
Unfortunately not; I think various other things unfortunately bumped it down the list a little.
We could close the ticket here to tidy up the fapi wg list - there is a ticket tracking it in the conformance suite issue tracker: https://gitlab.com/openid/conformance-suite/-/issues/877
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
-
- changed status to resolved
Closed as ticket being tracked in conformance test suite tracker
- Log in to comment
It’s great watching this one go around the houses. Thanks everyone for sorting it!