oidc-agent
oidc-agent copied to clipboard
Add support for checking 'iss' claim against issuer
Many OPs issue a JWT as the AT. I imagine it would be relatively trivial for oidc-token to inspect the token and, if it is a JWT, extract the iss
claim value. This value could then be compared with what oidc-agent believes is the issuer URL.
A discrepancy can occur if (for example) the URL given to oidc-gen was malformed (e.g., containing unexpected trailing slashes). However, this incorrect value might go undetected, as the oidc document discovery would still work.
oidc-token could then issue a warning if the issuer doesn't match the expected value. This would give the user the opportunity to update the issuer URL.