[Openid-specs-fapi] Issue #398: new certification check: aud in client assertions is issuer (openid/fapi)
issues-reply at bitbucket.org
Mon Mar 29 18:47:19 UTC 2021
New issue 398: new certification check: aud in client assertions is issuer
For the FAPI WG’s information, the certification team intend to add a new test to the FAPI-RW, FAPI1-Advanced and FAPI-CIBA test suite that sends the `aud` in the client assertion to the token endpoint as the OP's issuer \(whereas normally `aud` is the token endpoint as per OIDCC\). If this test fails, a warning will be issued.
This is a step towards improving interoperability in this area, see [https://bitbucket.org/openid/connect/issues/1213/private\_key\_jwt-client\_secret\_jwt-audience#comment-60234935](https://bitbucket.org/openid/connect/issues/1213/private_key_jwt-client_secret_jwt-audience#comment-60234935) and [https://gitlab.com/openid/conformance-suite/-/issues/877](https://gitlab.com/openid/conformance-suite/-/issues/877) for further background.
As the test only issues a warning, failing the new test will not prevent anyone certifying - so this is viewed as a low impact change. The change will likely roll out in a few weeks time.
More information about the Openid-specs-fapi