-
assigned issue to
Nicolas Aillery
typ header for User Statement Token / potential for confusion with id_token
Issue #193
resolved
If I’ve followed things correctly, the token defined in https://openid.net/specs/openid-connect-user-questioning-api-1_0-11.html#rfc.section.2 is almost a valid id_token - the only difference I spotted vs https://openid.net/specs/openid-connect-core-1_0.html#IDToken is that it doesn’t include an iat/ exp and perhaps nonce - all of which are technically optional to check in https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
(It does contain a number of claims that are unique to the user statement token, but OIDC clients are required to ignore unknown claims in an id_token so that potentially wouldn’t prevent something accepting a user statement token as an id_token.)
That might be worthy of a security consideration (people may accidentally or deliberately include iat/exp), but as per https://tools.ietf.org/html/rfc8725#section-3.11 it may be worth considering adding a typ header to help avoid any future confusion.
Comments (3)
-
-
Updates:
- A UST SHALL be a JWT with "typ":"UST+jwt";
- A UST MUST NOT include exp, iat or nonce;
- Update of Security section;
- Update of examples.
The correction is made in : https://bitbucket.org/openid/mobile/pull-requests/10
-
- changed status to resolved
resolved in version of April 13th, 2021
- Log in to comment
