[Openid-specs-fapi] Verification: non-compliant JWT audience

Pamela Dingle pdingle at pingidentity.com
Fri Sep 22 22:53:18 UTC 2017


Hi FAPI'ers,

Can anyone here comment on whether they use or make technology that CANNOT
override the standard RFC7519 JWT audience validation requirements?

I know that the jose4j library allows the ability to override the rules set
out in https://tools.ietf.org/html/rfc7519#section-4.1.3 but I don't know
if that is a common feature of other libraries.  As I read those rules, any
entity that receives a JWT with an aud claim populated but which does not
have the entity itself listed as a recipient should reject that JWT.

In this case we are talking about validating software statements in a
dynamic client requests -- if the software statement is generated with an
audience set to be the client requesting the software statement,
technically every AS the client tries to post that statement to should
reject the statement, since the aud claim does not reference them
directly.  Any opinions on whether at the end of the day this is a serious
compliance issue (or not), and/or a real problem for implementers (or not)
would be welcome.

Cheers,

Pamela

-- 
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Pam Dingle
Principal Technical Architect
pdingle at pingidentity.com
w: +1 303.999.5890
c: +1 303.999.5890
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.pingidentity.com/en/lp/identify-2017.html>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170922/bd6ae2a9/attachment.html>


More information about the Openid-specs-fapi mailing list