[Openid-specs-mobile-profile] Account Migration - porting_data with new 'sub', and not looking like id_token
James.H.Manger at team.telstra.com
Wed Jun 15 08:05:58 UTC 2016
>> The "porting_data" looks like an id_token from the old OP. In fact, it might even be accepted as an id_token by some RPs
"porting_data" in draft-00 doesn’t include an "aud" (audience) claim. That might almost be sufficient to prevent OIDC clients being tricked into thinking it is an id_token since OpenID Connect Core 1.0 §18.104.22.168. "ID Token Validation" step 3 says "The Client MUST validate that the aud (audience) Claim contains its client_id".
Mind you, perhaps "porting_data" should have "aud" as well. That is akward though as client_ids are OP-specific. "sector_id" (and "migrated_to") is effectively the audience for "porting_data".
More information about the Openid-specs-mobile-profile