Proposal/discussion: OIDC requirement to ensure issuer URL == issuer claim #2003
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
2) Awaiting response
Awaiting a response from the original poster
V51
Group issues related to OAuth
_5.0 - prep
This needs to be addressed to prepare 5.0
As per the discussion in #1969. From https://openid.net/specs/openid-connect-discovery-1_0.html#Security:
We can have a requirement such as this:
Verify that relying parties ensure that the issuer URL they are using for the configuration request exactly matches the value of the issuer claim in the OpenID provider metadata document received by the relying party, and that this also exactly matches the iss claim value in ID tokens that are supposed to be from that issuer.
@elarlang
The text was updated successfully, but these errors were encountered: