[Openid-specs-ab] Aggregated and Distributed Claims
Torsten Lodderstedt
torsten at lodderstedt.net
Mon Mar 4 16:01:13 UTC 2019
Thanks
As far as I understand, you discussed distributed claims only and suggested to do discovery on the endpoint and/or use the claim provider’s TLS cert to conduct the check. That does not work for aggregated claims.
I think requiring an iss claim in the JWT is the obvious solution as the RP can perform signature validation as normal in OIDC. BTW: I would suggest the same for distributed claims :-)
What do you think?
> Am 04.03.2019 um 16:56 schrieb Hans Zandbelt <hans.zandbelt at zmartzone.eu>:
>
> FYI: developing the OIDC certification suite we encountered the same:
> https://github.com/openid-certification/oidctest/issues/51#issuecomment-349301164
>
> Hans.
>
> On Mon, Mar 4, 2019 at 4:38 PM Torsten Lodderstedt via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> Hi all,
>
> I just worked my way through section 5.6.2 of the OpenID Connect Core spec and I'm wondering how a RP is supposed to check the signature of a nested JWT containing aggregated claims. There is no text that the JWT must contain an „iss" claim that could be used to obtains the other claims provider’s JWKS URI.
>
> What is the assumption of the spec how signature validation should work?
>
> kind regards,
> Torsten. _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> --
> hans.zandbelt at zmartzone.eu
> ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3923 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190304/bffa1659/attachment.p7s>
More information about the Openid-specs-ab
mailing list