[Openid-specs-ab] security implications of client_id or endpoint as "aud" in OpenID Provider Commands
Dick Hardt
dick.hardt at gmail.com
Fri Apr 18 20:04:38 UTC 2025
Correct, the command_endpoint is at the RP.
On Fri, Apr 18, 2025 at 12:27 PM <george at practicalidentity.com> wrote:
> I’m in favor of this proposal. I didn’t see anyone else respond on the
> list. I’m assuming that is the command_endpoint_url of the relying party
> and not the IDP.
>
> Thanks,
> George
>
> --
> George Fletcher
> Practical Identity LLC
>
> On Apr 17, 2025, at 10:49 AM, Dick Hardt via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>
>
> Hello!
>
> We are working on a new specification, OpenID Provider Commands.The
> commands are a JWT that is similar to an ID Token that have the same "iss"
> and same verification, and share identity claims. The OP sends command
> tokens to an RP.
>
> We want to ensure that a command token is not confused with an id token.
>
> Currently the spec has the same "aud" value in the command token as an id
> token -- the client_id value.
>
> We are considering setting the "aud" value to be the command_endpoint URL
> and to set the "client_id" claim to be the client_id value.
>
> https://github.com/openid/openid-provider-commands
>
> https://github.com/openid/openid-provider-commands/issues/4
>
> Thanks in advance for your feedback and review!
>
> /Dick
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250418/328f8bb4/attachment.htm>
More information about the Openid-specs-ab
mailing list