[Openid-specs-fapi] Issue #214: restricting 'aud' in request object to a single value (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Thu Jan 31 09:35:01 UTC 2019

New issue 214: restricting 'aud' in request object to a single value

Joseph Heenan:

https://tools.ietf.org/html/rfc7523#section-3 and https://openid.net/specs/openid-connect-core-1_0.html#RequestObject both allow 'aud' in the request object to contain any array containing more than one value (as well as a simple string as used in most examples).

This just seems to me to be unnecessary flexibility and also flexibility that I think a large number of people don't appreciate, both of which feel bad to me in the context of a standard that aims to be higher security. (I would also bet some Authorization Servers in the UK OpenBanking ecosystem only actually support a single string currently.)

I can't see any FAPI use case where a request object would need to have multiple aud values.

I would be tempted to restrict 'aud' to being a simple string value.

The language in the various standards about what value 'aud' should take is also a bit loose (e.g. OIDCC says "The aud value SHOULD be or include the OP's Issuer Identifier URL." - i.e. it's a recommendation, not an absolute requirement), it might be worth FAPI stating that it MUST be exactly the AS's issuer value.

More information about the Openid-specs-fapi mailing list