[Openid-specs-fapi] Issue #190: aud (& iss?) should be mandatory in requests objects (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Fri Nov 9 16:37:19 UTC 2018


New issue 190: aud (& iss?) should be mandatory in requests objects
https://bitbucket.org/openid/fapi/issues/190/aud-iss-should-be-mandatory-in-requests

Joseph Heenan:

As I interpret the specs ( https://openid.net/specs/openid-connect-core-1_0.html#RequestObject )  currently RPs aren't required to included aud in the request object:

> The aud value SHOULD be or include the OP's Issuer Identifier URL.

ie. this 'should' needs to be a 'must' in FAPI I think.

I am also dubious about the "or" part. An exact match seems like a better idea to me.

I suspect we need to do a fuller check on any other fields that are mandatory in request objects.




More information about the Openid-specs-fapi mailing list