<div dir="ltr">Dick, yes, your example properly illustrates my suggestion. It's safe to say it becomes even more important when dealing with multi-tenant OPs. You never want a malicious actor to trick an OP into creating a client with a specific name to abuse RPs in different tenants (due to lack of controls / checks on either or both sides).<div><br></div><div>It's also worth noting that the aud claim can take not only a single string but also an array of strings, as specified in the OpenID Connect Core 1.0 spec.<br><div><br></div><div>On a side note, one day OpenID Connect ID Tokens will be explicitly typed... along with Logout Tokens, and JWT assertions used as client's credentials.</div><div><br></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><a href="https://bitbucket.org/openid/connect/issues/2162/recommendation-to-the-use-of-explicit">https://bitbucket.org/openid/connect/issues/2162/recommendation-to-the-use-of-explicit</a></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">All the best,</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Andrii</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><br></p></div></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Fri, Mar 14, 2025 at 8:03 AM george--- via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hi Dick,<div><br></div><div>My apologies! I read the “command” claim as the “aud” claim which of course doesn’t (and shouldn’t) have the full URL.</div><div><br id="m_2896858034446555645lineBreakAtBeginningOfMessage"><div>
<div>George Fletcher</div><div>Identity Standards Architect</div><div>Practical Identity LLC</div><div><br></div><br>
</div>
<div><br><blockquote type="cite"><div>On Mar 14, 2025, at 10:59 AM, Dick Hardt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:</div><br><div><div dir="auto">The example I provided was the full URL George — what am I missing?</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 14, 2025 at 2:55 PM <<a href="mailto:george@practicalidentity.com" target="_blank">george@practicalidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>+1 for this approach<div><br></div><div>It might be useful to put the full URI in the `aud` claim so that domain matches can be made as well</div><div><br id="m_2896858034446555645m_8821379763650655131lineBreakAtBeginningOfMessage"><div>
<div>George Fletcher</div><div>Identity Standards Architect</div><div>Practical Identity LLC</div><div><br></div><br>
</div>
<div><br><blockquote type="cite"></blockquote></div></div></div><div><div><div><blockquote type="cite"><div>On Mar 14, 2025, at 7:33 AM, Dick Hardt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:</div><br></blockquote></div></div></div><div><div><div><blockquote type="cite"><div></div></blockquote></div></div></div><div><div><div><blockquote type="cite"><div><div dir="ltr" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div dir="ltr" style="font-family:Helvetica"><div dir="ltr" style="font-family:Helvetica"><div dir="ltr" style="font-family:Helvetica"><div dir="ltr" style="font-family:Helvetica"><br><br><div class="gmail_quote" style="font-family:Helvetica"><div dir="ltr" class="gmail_attr" style="font-family:Helvetica">On Fri, Mar 14, 2025 at 12:51 AM Joseph Heenan <<a href="mailto:joseph@authlete.com" style="font-family:Helvetica" target="_blank">joseph@authlete.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex;font-family:Helvetica">Hi Dick,<br><br><br>> On 14 Mar 2025, at 01:01, Dick Hardt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" style="font-family:Helvetica" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br>><span style="font-family:Helvetica"> </span><br>><span style="font-family:Helvetica"> </span><br>> Building on Joseph's response:<br>> > The confusion attack only really applies where you have a ‘sub’ value that can contain a client id or a user identifier. That isn’t the case here.<br>><span style="font-family:Helvetica"> </span><br>> An objective is to have a Command Token that is used in the `activate` and `maintain` commands to be able to be verified and processed similar to an id_token allowing code reuse.<br>><span style="font-family:Helvetica"> </span><br>> the id_token specifies that the client_id is the `aud` claim, so following that same semantic keeps things simple for the RP<br>><span style="font-family:Helvetica"> </span><br>> We do want to provide mechanisms that make it easy for an RP to not confuse id_tokens and command tokens -- We can add that the command claim MUST NOT be in an id_token, and per the other thread, we could require OPs that support OP Commands to require a nonce in the id_token.<span style="font-family:Helvetica"> </span><br><br>Unfortunately I think it’s not just the RP that we need to worry about - whilst doing so is contentious, there are various patterns of third parties accepting id tokens, and we should at least be aware of the implications if one of those third parties would accept a command token in place of an id_token.<br></blockquote><div style="font-family:Helvetica"><br></div><div style="font-family:Helvetica">I'm not that familiar with those patterns Joseph. Would you share those so we can reflect on how to minimize the risk of a command_token being used in place of an id_token?<br><br>Perhaps Andrii's proposal (if I understood it correctly) of the `aud` being the commands_uri and the `client_id` claim containing the client_id is the better approach. It seems this would significantly reduce the risk of token confusion.<br><br>The command token endpoint then knows the command was intended for it, and it and the `client_id` is then just a claim in the command. This may simplify RPs that host multiple client tenants that are each identified by their own client_id value<br><br>The example at the end of section 4 would then change from <br><br><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace">{</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "iss": "<a href="https://op.example.org/" style="font-family:monospace" target="_blank">https://op.example.org</a>",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "sub": "248289761001",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "aud": "s6BhdRkqt3",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "iat": 1734004000,</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "exp": 1734004060,</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "jti": "bWJr",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "command": "unauthorize",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace">}</font><br><br>to <br><br><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace">{</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "iss": "<a href="https://op.example.org/" style="font-family:monospace" target="_blank">https://op.example.org</a>",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "aud": "<a href="https://rp.example.net/commands" style="font-family:monospace" target="_blank">https://rp.example.net/commands</a>",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "sub": "248289761001",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "client_id": "s6BhdRkqt3",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "iat": 1734004000,</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "exp": 1734004060,</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "jti": "bWJr",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace"> "command": "unauthorize",</font></div><div style="font-family:Helvetica"><font face="monospace" style="font-family:monospace">}<br><br></font></div></div></div><div style="font-family:Helvetica"><font face="arial, sans-serif" style="font-family:arial,sans-serif">where </font><span style="font-family:monospace"><a href="https://rp.example.net/commands" style="font-family:monospace" target="_blank">https://rp.example.net/commands</a><span style="font-family:monospace"> </span></span><font face="arial, sans-serif" style="font-family:arial,sans-serif">is the<span style="font-family:arial,sans-serif"> </span></font><span style="font-family:monospace">commands_uri</span></div></div></div></div></div></div></div></div></blockquote></div></div></div><div><div><div><blockquote type="cite"><div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">_______________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">Openid-specs-ab mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="mailto:Openid-specs-ab@lists.openid.net" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">Openid-specs-ab@lists.openid.net</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div></blockquote></div><br></div></div></blockquote></div></div>
_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br></div></blockquote></div><br></div></div>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>