FAPI-RW: Require the 'aud' claim in the request object
Joseph Heenan
Branch: josephheenan/fapi:restrict-aud
Branch: openid/fapi:master
Merged
Merged pull request
Merged in josephheenan/fapi/restrict-aud (pull request #95)
Merged in josephheenan/fapi/restrict-aud (pull request #95)
Currently the request object an RP generates for one OP may well be accepted by another OP. This seems undesireable and hence we strengthen the 'should's found in https://openid.net/specs/openid-connect-core-1_0.html#RequestObject to MUSTs, as discussed is #190.
We also restrict the aud to being a simple string value; this seems to be in practice what a number of participants in the OB UK ecosystem have implemented, and within FAPI there doesn't seem to be any use case (apart from potentially trying to confuse an AS or applicaiton firewall) to allow multiple aud's in a request object that is by definition to be consumed by the target AS.
closes #190
closes #214