[Openid-specs-ab] security implications of client_id or endpoint as "aud" in OpenID Provider Commands
george at practicalidentity.com
george at practicalidentity.com
Fri Apr 18 19:26:48 UTC 2025
I’m in favor of this proposal. I didn’t see anyone else respond on the list. I’m assuming that is the command_endpoint_url of the relying party and not the IDP.
Thanks,
George
--
George Fletcher
Practical Identity LLC
> On Apr 17, 2025, at 10:49 AM, Dick Hardt via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
>
> Hello!
>
> We are working on a new specification, OpenID Provider Commands.The commands are a JWT that is similar to an ID Token that have the same "iss" and same verification, and share identity claims. The OP sends command tokens to an RP.
>
> We want to ensure that a command token is not confused with an id token.
>
> Currently the spec has the same "aud" value in the command token as an id token -- the client_id value.
>
> We are considering setting the "aud" value to be the command_endpoint URL and to set the "client_id" claim to be the client_id value.
>
> https://github.com/openid/openid-provider-commands
>
> https://github.com/openid/openid-provider-commands/issues/4
>
> Thanks in advance for your feedback and review!
>
> /Dick
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250418/6bfd58c2/attachment.htm>
More information about the Openid-specs-ab
mailing list