[Openid-specs-ab] Issue #1361: Is `i_am_siop` sufficient to distinguish SIOP and non-SIOP ID tokens? (openid/connect)
Daniel Fett
issues-reply at bitbucket.org
Thu Nov 25 07:58:54 UTC 2021
New issue 1361: Is `i_am_siop` sufficient to distinguish SIOP and non-SIOP ID tokens?
https://bitbucket.org/openid/connect/issues/1361/is-i_am_siop-sufficient-to-distinguish
Daniel Fett:
There might be attacks where an RP expects to be speaking to a non-SIOP, but the RP is in fact talking to a SIOP.
Until now, this was prevented by the special `iss` value.
Now, the RP might not notice the self-issued nature of the OP, at least under some circumstances, e.g., when discovery or the check of the ID token signature is not done properly.
The `i_am_siop` Claim is not sufficient, as it expects any RP to actively check for its presence.
A better mechanism would be something that invalidates the ID token for any RP that does not intend to speak SIOP.
The issuers identifier would be a good candidate: We could either rename it for SIOP:
```
{
"siop+iss": "https://dynamic.siop.example"
...
}
```
… but that is probably a big change and we have to answer the question what happens when both “siop\+iss” and “iss” are present.
Another option would be to prefix the issuer:
```
{
"iss": "siop+https://dynamic.siop.example"
...
}
```
This feels a bit closer to what we want to achieve - tell the RP that this ID token is to be handled with caution.
In both cases, a non-SIOP RP that performs the most basic checks on the ID token will reject it.
More information about the Openid-specs-ab
mailing list