[Openid-specs-ab] Issue #1319: Establish common identifier between IA and IdA not exposed to CC (openid/connect)
Edmund Jay
issues-reply at bitbucket.org
Thu Aug 19 09:34:55 UTC 2021
New issue 1319: Establish common identifier between IA and IdA not exposed to CC
https://bitbucket.org/openid/connect/issues/1319/establish-common-identifier-between-ia-and
Edmund Jay:
Comments from TL regarding for [pull request #39](https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca)
[https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238240866](https://bitbucket.org/openid/connect/pull-requests/39/merging-cp-into-ca#comment-238240866)
I feel uncomfortable with the fact this request and respective response are not tight in any way to a subject value previously attested by the IA to the IdA. If, for whatever reason, the IdA mixes up access tokens, it may request and subsequently present the wrong claims \(belonging to a different user\) to a CC.
I think IA and IdA need to establish a common identifier that is not exposed to a CC.
More information about the Openid-specs-ab
mailing list