Skip to content

Add option for strict validation of assertion audiences #1737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 28, 2025
Merged

Add option for strict validation of assertion audiences #1737

merged 1 commit into from
Jan 28, 2025

Conversation

@josephdecock
Copy link
Member

@josephdecock josephdecock commented Jan 27, 2025
edited
Loading

Adds a new option that will enforce that the only private_key_jwt audience allowed is the issuer identifier, and that it is a string - not an array of a single value.

The audience of private key jwts has historically been somewhat open to implementation in various OAuth and OpenId specs. Some specs have said to use the issuer identifier, others the token endpoint or other endpoints, and some say to accept all. However, there is currently an effort from IETF and OpenID foundation to make audience requirements consistent across all specifications, which will be accomplished by only accepting the issuer identifier. The most recent FAPI (financial grade API) specification requires this strict validation, and other specifications are in the process of being updated as well.

@josephdecock josephdecock requested a review from bhazen January 27, 2025 21:31
@josephdecock josephdecock force-pushed the jmdc/strict-aud-validation branch from 7d28775 to 5a7c9ee Compare January 27, 2025 22:07
@josephdecock
Add option for strict validation of assertion audiences
f50960a 
Adds a new option that will enforce that the only private_key_jwt audience allowed is the issuer identifier, and not even a wrapping array of a single value.
@josephdecock josephdecock force-pushed the jmdc/strict-aud-validation branch from 5a7c9ee to f50960a Compare January 27, 2025 22:10
@josephdecock josephdecock merged commit a143f1e into main Jan 28, 2025
6 checks passed
@josephdecock josephdecock deleted the jmdc/strict-aud-validation branch January 28, 2025 00:40
@josephdecock josephdecock added the area/products/identity-server Related to Identity Server label Jan 28, 2025
@josephdecock josephdecock added this to the is-7.2.0 milestone Jan 28, 2025
This was referenced Sep 7, 2025
Closed
Closed
Closed
This was referenced Sep 15, 2025
Closed
Open
Open
This was referenced Sep 29, 2025
Open
Open
Open
Open
Open
Open
Open
Open
Open
@dependabot dependabot bot mentioned this pull request Oct 6, 2025
Open
This was referenced Oct 13, 2025
Open
Open
Open
@dependabot dependabot bot mentioned this pull request Oct 27, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhazen bhazen bhazen approved these changes

Assignees

No one assigned

Labels

area/products/identity-server Related to Identity Server

Projects

None yet

Milestone

is-7.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@josephdecock @bhazen