[Openid-specs-ab] Aggregated and Distributed Claims

Hans Zandbelt hans.zandbelt at zmartzone.eu
Mon Mar 4 18:27:55 UTC 2019


agree, one "iss" would rule them all!

Hans.

On Mon, Mar 4, 2019 at 5:01 PM Torsten Lodderstedt <torsten at lodderstedt.net>
wrote:

> Thanks
>
> As far as I understand, you discussed distributed claims only and
> suggested to do discovery on the endpoint and/or use the claim provider’s
> TLS cert to conduct the check. That does not work for aggregated claims.
>
> I think requiring an iss claim in the JWT is the obvious solution as the
> RP can perform signature validation as normal in OIDC. BTW: I would suggest
> the same for distributed claims :-)
>
> What do you think?
>
> > Am 04.03.2019 um 16:56 schrieb Hans Zandbelt <hans.zandbelt at zmartzone.eu
> >:
> >
> > FYI: developing the OIDC certification suite we encountered the same:
> >
> https://github.com/openid-certification/oidctest/issues/51#issuecomment-349301164
> >
> > Hans.
> >
> > On Mon, Mar 4, 2019 at 4:38 PM Torsten Lodderstedt via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> > Hi all,
> >
> > I just worked my way through section 5.6.2 of the OpenID Connect Core
> spec and I'm wondering how a RP is supposed to check the signature of a
> nested JWT containing aggregated claims. There is no text that the JWT must
> contain an „iss" claim that could be used to obtains the other claims
> provider’s JWKS URI.
> >
> > What is the assumption of the spec how signature validation should work?
> >
> > kind regards,
> > Torsten. _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> >
> >
> > --
> > hans.zandbelt at zmartzone.eu
> > ZmartZone IAM - www.zmartzone.eu
>
>

-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190304/0cbacf77/attachment-0001.html>


More information about the Openid-specs-ab mailing list