[Openid-specs-mobile-profile] Issue #219: Validation of aud in jwt based client auth (openid/mobile)
Bjorn Hjelm
issues-reply at bitbucket.org
Tue Feb 11 15:01:36 UTC 2025
New issue 219: Validation of aud in jwt based client auth
https://bitbucket.org/openid/mobile/issues/219/validation-of-aud-in-jwt-based-client-auth
Bjorn Hjelm:
Based on a discussion in the \(IETF\) OAuth working group [interim meeting](https://datatracker.ietf.org/meeting/interim-2025-oauth-04/session/oauth) on vulnerability identified exploiting ambiguous audience values for AS \(see slides [here](https://datatracker.ietf.org/doc/slides-interim-2025-oauth-04-sessa-private-key-jwt-aud-issues/)\), revised text \(see PR #[18](https://bitbucket.org/openid/mobile/pull-requests/18/overview)\) was created for CIBA Core 1.0 specification.
More information about the Openid-specs-mobile-profile
mailing list