You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I verified the client configuration matches the information in the identity provider (or I am using dynamic client registration)
I am either using a custom URI scheme or https with App Links for client redirect.
I can reproduce the issue in the demo app (optional)
Configuration
Version: 0.9.1
Integration: native(Java/Kotlin)
Identity provider: Google
Issue Description
Currently, the library throws an AuthorizationException during the ID token validation, while processing a TokenResponse, if the token contains an authorized party (azp) matching the client ID and audience (aud) which is a single value other than the client ID, e.g.:
{
"azp": "client_id",
"aud": "my_audience",
...
}
According to the OIDC spec Section 2 azp Claim:
OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
this is a valid case and should not be rejected during the validation. However, from what I saw in the code, the ID token validation takes only the OIDC spec Section 3.1.3.7. rule no. 3 into account:
The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
Checklist:
https
with App Links for client redirect.Configuration
Issue Description
Currently, the library throws an
AuthorizationException
during the ID token validation, while processing aTokenResponse
, if the token contains an authorized party (azp
) matching the client ID and audience (aud
) which is a single value other than the client ID, e.g.:According to the OIDC spec Section 2
azp
Claim:this is a valid case and should not be rejected during the validation. However, from what I saw in the code, the ID token validation takes only the OIDC spec Section 3.1.3.7. rule no. 3 into account:
The problem doesn't occur in
AppAuth-iOS
, where the validation is performed according to the both mentioned above sections.The text was updated successfully, but these errors were encountered: