[OpenID-Specs-eKYC-IDA] Issue #1331: possible type confusion with distributed/aggregated claims (openid/ekyc-ida)
josephheenan
issues-reply at bitbucket.org
Wed Nov 2 11:47:19 UTC 2022
New issue 1331: possible type confusion with distributed/aggregated claims
https://bitbucket.org/openid/ekyc-ida/issues/1331/possible-type-confusion-with-distributed
Joseph Heenan:
As originally mentioned on [https://bitbucket.org/openid/ekyc-ida/pull-requests/144#comment-340866589](https://bitbucket.org/openid/ekyc-ida/pull-requests/144#comment-340866589) the JWS for distributed/aggregated claims [the recommendation in the JWT BCP](https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing) say we should try to make sure these objects can’t be confused with other JWS objects.
e.g. As the object contains iss & sub, it can potentially be confused with an id\_token \(and that would be bad, as someone obtaining the claim object may then be able to use it as an id\_token at services that allow id\_tokens from that issuer to be used/exchanges for other things\).
This could be avoided by explicitly saying that these objects must not contain exp / aud, which would mean they can’t be valid id tokens.
Additionally, defining an explicit value to be used in the `typ` header would probably also make sense.
More information about the Openid-specs-ekyc-ida
mailing list