[Openid-specs-fapi] Issue #398: new certification check: aud in client assertions is issuer (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Mon Mar 29 18:47:19 UTC 2021


New issue 398: new certification check: aud in client assertions is issuer
https://bitbucket.org/openid/fapi/issues/398/new-certification-check-aud-in-client

Joseph Heenan:

For the FAPI WG’s information, the certification team intend to add a new test to the FAPI-RW, FAPI1-Advanced and FAPI-CIBA test suite that sends the `aud` in the client assertion to the token endpoint as the OP's issuer \(whereas normally `aud` is the token endpoint as per OIDCC\). If this test fails, a warning will be issued.

This is a step towards improving interoperability in this area, see [https://bitbucket.org/openid/connect/issues/1213/private\_key\_jwt-client\_secret\_jwt-audience#comment-60234935](https://bitbucket.org/openid/connect/issues/1213/private_key_jwt-client_secret_jwt-audience#comment-60234935) and [https://gitlab.com/openid/conformance-suite/-/issues/877](https://gitlab.com/openid/conformance-suite/-/issues/877) for further background.  
  
As the test only issues a warning, failing the new test will not prevent anyone certifying - so this is viewed as a low impact change. The change will likely roll out in a few weeks time.




More information about the Openid-specs-fapi mailing list