FAPI-RW: Require the 'aud' claim in the request object

Branch: josephheenan/fapi:restrict-aud

Branch: openid/fapi:master

Merged

#95 · Created 2019-02-28 · Last updated 2019-03-14

Merged pull request

Merged in josephheenan/fapi/restrict-aud (pull request #95)

be897f6·Author: Joseph Heenan·Closed by: Dave Tonge·2019-03-14

Description

Currently the request object an RP generates for one OP may well be accepted by another OP. This seems undesireable and hence we strengthen the 'should's found in https://openid.net/specs/openid-connect-core-1_0.html#RequestObject to MUSTs, as discussed is #190.

We also restrict the aud to being a simple string value; this seems to be in practice what a number of participants in the OB UK ecosystem have implemented, and within FAPI there doesn't seem to be any use case (apart from potentially trying to confuse an AS or applicaiton firewall) to allow multiple aud's in a request object that is by definition to be consumed by the target AS.

FAPI-RW: Require the 'aud' claim in the request object

Merged pull request

Description

0 attachments

0 comments

Loading commits...