[Openid-specs-ab] security implications of client_id or endpoint as "aud" in OpenID Provider Commands
Dick Hardt
dick.hardt at gmail.com
Thu Apr 17 14:49:00 UTC 2025
Hello!
We are working on a new specification, OpenID Provider Commands.The
commands are a JWT that is similar to an ID Token that have the same "iss"
and same verification, and share identity claims. The OP sends command
tokens to an RP.
We want to ensure that a command token is not confused with an id token.
Currently the spec has the same "aud" value in the command token as an id
token -- the client_id value.
We are considering setting the "aud" value to be the command_endpoint URL
and to set the "client_id" claim to be the client_id value.
https://github.com/openid/openid-provider-commands
https://github.com/openid/openid-provider-commands/issues/4
Thanks in advance for your feedback and review!
/Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250417/98769528/attachment.htm>
More information about the Openid-specs-ab
mailing list