[Openid-specs-fapi] Verification: non-compliant JWT audience
Pamela Dingle
pdingle at pingidentity.com
Wed Sep 27 13:04:58 UTC 2017
It would be great if we could put it on the agenda, thanks Nat!
On Wed, Sep 27, 2017 at 3:28 AM, Nat Sakimura via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:
> So, shall we talk about this in the next call, that is happening in a few
> hours?
>
>
>
> ---
> Nat Sakimura
> Research Fellow, Nomura Research Institute
> Chairman of the Board, OpenID Foundation
>
> On 2017-09-26 06:28, Brian Campbell via Openid-specs-fapi wrote:
>
> I tend to agree with John here. The OB software statement probably
> shouldn't have an audience at all or, if it does, some kind of logical
> audience for all UK-Open banking participants would be more appropriate.
>
> The jose4j library does allow the ability to override the rules set out in
> https://tools.ietf.org/html/rfc7519#section-4.1.3 but the intent is to
> turn off the default processing and enable more complex or application
> specific audience processing by plugging in customized claim validation in
> specialized cases that need it. Although it can be abused, It's not
> intended to allow for non compliant behavior.
>
> On Fri, Sep 22, 2017 at 5:50 PM, John Bradley via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
>> I guess the other question is if the software statement should have an
>> audience. Nothing in JWT requires on. Or you could have a logical
>> audience for UK-Open banking participants that they could all recognize.
>> That would keep other people from accidentally trying to process it.
>>
>> John B.
>>
>> On Sep 22, 2017, at 7:53 PM, Pamela Dingle via Openid-specs-fapi <
>> openid-specs-fapi at lists.openid.net> wrote:
>> Hi FAPI'ers,
>>
>> Can anyone here comment on whether they use or make technology that
>> CANNOT override the standard RFC7519 JWT audience validation requirements?
>>
>> I know that the jose4j library allows the ability to override the rules
>> set out in https://tools.ietf.org/html/rfc7519#section-4.1.3 but I don't
>> know if that is a common feature of other libraries. As I read those
>> rules, any entity that receives a JWT with an aud claim populated but which
>> does not have the entity itself listed as a recipient should reject that
>> JWT.
>>
>> In this case we are talking about validating software statements in a
>> dynamic client requests -- if the software statement is generated with an
>> audience set to be the client requesting the software statement,
>> technically every AS the client tries to post that statement to should
>> reject the statement, since the aud claim does not reference them
>> directly. Any opinions on whether at the end of the day this is a serious
>> compliance issue (or not), and/or a real problem for implementers (or not)
>> would be welcome.
>>
>> Cheers,
>>
>> Pamela
>>
>> --
>> [image: Ping Identity] <https://www.pingidentity.com/>
>> Pam Dingle
>> Principal Technical Architect
>> pdingle at pingidentity.com
>> w: +1 303.999.5890 <(303)%20999-5890>
>> c: +1 303.999.5890 <(303)%20999-5890>
>> Connect with us: [image: Glassdoor logo]
>> <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> [image:
>> LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
>> logo] <https://twitter.com/pingidentity> [image: facebook logo]
>> <https://www.facebook.com/pingidentitypage> [image: youtube logo]
>> <https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
>> <https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
>> <https://www.pingidentity.com/en/blog.html>
>> <https://www.pingidentity.com/en/lp/identify-2017.html>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*_______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>>
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>>
>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
> _______________________________________________
> Openid-specs-fapi mailing listOpenid-specs-fapi at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>
--
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Pam Dingle
Principal Technical Architect
pdingle at pingidentity.com
w: +1 303.999.5890
c: +1 303.999.5890
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.pingidentity.com/en/lp/identify-2017.html>
--
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170927/8f49ba1f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: blocked.gif
Type: image/gif
Size: 118 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170927/8f49ba1f/attachment.gif>
More information about the Openid-specs-fapi
mailing list