[Openid-specs-fapi] Verification: non-compliant JWT audience

Tom Jones thomasclinganjones at gmail.com
Fri Sep 29 01:29:00 UTC 2017

I agree.
AUD should not be in a s/w statement at all.

I also think that you should ban question like this that are not issues.

Peace ..tom

On Fri, Sep 22, 2017 at 3:53 PM, Pamela Dingle via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> Hi FAPI'ers,
> Can anyone here comment on whether they use or make technology that CANNOT
> override the standard RFC7519 JWT audience validation requirements?
> I know that the jose4j library allows the ability to override the rules
> set out in https://tools.ietf.org/html/rfc7519#section-4.1.3 but I don't
> know if that is a common feature of other libraries.  As I read those
> rules, any entity that receives a JWT with an aud claim populated but which
> does not have the entity itself listed as a recipient should reject that
> JWT.
> In this case we are talking about validating software statements in a
> dynamic client requests -- if the software statement is generated with an
> audience set to be the client requesting the software statement,
> technically every AS the client tries to post that statement to should
> reject the statement, since the aud claim does not reference them
> directly.  Any opinions on whether at the end of the day this is a serious
> compliance issue (or not), and/or a real problem for implementers (or not)
> would be welcome.
> Cheers,
> Pamela
> --
> <https://www.pingidentity.com>[image: Ping Identity]
> <https://www.pingidentity.com>
> Pam Dingle
> Principal Technical Architect
> pdingle at pingidentity.com
> w: +1 303.999.5890 <(303)%20999-5890>
> c: +1 303.999.5890 <(303)%20999-5890>
> Connect with us: [image: Glassdoor logo]
> <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> [image:
> LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
> logo] <https://twitter.com/pingidentity> [image: facebook logo]
> <https://www.facebook.com/pingidentitypage> [image: youtube logo]
> <https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
> <https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
> <https://www.pingidentity.com/en/blog.html>
> <https://www.pingidentity.com/en/lp/identify-2017.html>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170928/5a6aae3e/attachment.html>

More information about the Openid-specs-fapi mailing list