[Openid-specs-ab] Issue #1602: Signed request - what is the audience? (openid/connect)
David Waite
issues-reply at bitbucket.org
Tue Aug 16 23:14:07 UTC 2022
New issue 1602: Signed request - what is the audience?
https://bitbucket.org/openid/connect/issues/1602/signed-request-what-is-the-audience
David Waite:
OAuth Core and RFC9101 \(JAR\) have a SHOULD requirement for ‘aud’, and that it SHOULD be the issuer.
However, we changed SIOPv2 to equate `iss` and `sub`, and we will not know `sub` at the time of the request \(since the end user has not yet been authenticated\).
I think we should define exact behavior here, and propose one of:
1. The `aud` of a signed request MUST be omitted
2. The `aud` of a signed request MUST be the entity identifier associated with a set of SIOP feature policy. \(e.g. `https://self-issued.me/v2` as a default indicating the static metadata, potentially another value for a different trust framework\).
3. The `aud` of the signed request MUST be the authorization endpoint of the SIOP.
More information about the Openid-specs-ab
mailing list