[Openid-specs-fapi] Issue #190: aud (& iss?) should be mandatory in requests objects (openid/fapi)
issues-reply at bitbucket.org
Fri Nov 9 16:37:19 UTC 2018
New issue 190: aud (& iss?) should be mandatory in requests objects
As I interpret the specs ( https://openid.net/specs/openid-connect-core-1_0.html#RequestObject ) currently RPs aren't required to included aud in the request object:
> The aud value SHOULD be or include the OP's Issuer Identifier URL.
ie. this 'should' needs to be a 'must' in FAPI I think.
I am also dubious about the "or" part. An exact match seems like a better idea to me.
I suspect we need to do a fuller check on any other fields that are mandatory in request objects.
More information about the Openid-specs-fapi