[Openid-specs-mobile-profile] Issue #193: typ header for User Statement Token / potential for confusion with id_token (openid/mobile)
josephheenan
issues-reply at bitbucket.org
Fri Dec 18 17:32:14 UTC 2020
New issue 193: typ header for User Statement Token / potential for confusion with id_token
https://bitbucket.org/openid/mobile/issues/193/typ-header-for-user-statement-token
Joseph Heenan:
If I’ve followed things correctly, the token defined in [https://openid.net/specs/openid-connect-user-questioning-api-1\_0-11.html#rfc.section.2](https://openid.net/specs/openid-connect-user-questioning-api-1_0-11.html#rfc.section.2) is almost a valid id\_token - the only difference I spotted vs [https://openid.net/specs/openid-connect-core-1\_0.html#IDToken](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) is that it doesn’t include an `iat`/ `exp` and perhaps `nonce` - all of which are technically optional to check in [https://openid.net/specs/openid-connect-core-1\_0.html#IDTokenValidation](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)
\(It does contain a number of claims that are unique to the user statement token, but OIDC clients are required to ignore unknown claims in an id\_token so that potentially wouldn’t prevent something accepting a user statement token as an id\_token.\)
That might be worthy of a security consideration \(people may accidentally or deliberately include iat/exp\), but as per [https://tools.ietf.org/html/rfc8725#section-3.11](https://tools.ietf.org/html/rfc8725#section-3.11) it may be worth considering adding a `typ` header to help avoid any future confusion.
More information about the Openid-specs-mobile-profile
mailing list