oidcc icon indicating copy to clipboard operation
oidcc copied to clipboard
verified publisher icon erlef

Validation of Aggregated Userinfo Claims

Open maennchen opened this issue 9 months ago • 0 comments

oidcc version

latest

Erlang version

any

Elixir version

any

Summary

  • Certification Suite: oidcc-client-test-plan
  • Certification Test: oidcc-client-test-aggregated-claims

The certification test contains an aggregated JWT Userinfo Claim with an unsigned Token.

Current behavior

Validation Fails

How to reproduce

Run oidcc-client-test-aggregated-claims test

Expected behavior

Spec: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims

§ 5.6.2. Aggregated and Distributed Claims ... An iss (issuer) Claim SHOULD be included in any JWT issued by a Claims Provider so that the Claims Provider's keys can be retrieved for signature validation of the JWT. The value of the Claim is the Claims Provider's Issuer Identifier URL. ...

Based on this i assume:

  • Validation is not according to userinfo rules.
  • Instead:
    • none is valid
    • If iss present, load config / JWKs and validate using the rules of that iss.

maennchen avatar Jun 02 '25 14:06 maennchen