Open deleterepo opened 1 month ago
Verify that relying parties ensure that the issuer URL they are using for the configuration request exactly matches the value of the issuer claim in the OpenID provider metadata document received by the relying party, and that this also exactly matches the iss claim value in ID tokens that are supposed to be from that issuer.
These look like two requirements:
Could this be reformulated something like:
All this could apply to plain OAuth as well.
Do you think it is OAuth and OIDC specific requirement, or is it in general token validation requirement?
We have requirement:
# | Description | L1 | L2 | L3 | CWE | NIST § |
---|---|---|---|---|---|---|
3.5.6 | [ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience. | ✓ | ✓ | ✓ | 287 |
The changes for mentioned requirement are discussed in https://github.com/OWASP/ASVS/issues/1967
ping @deleterepo
Do you think it is OAuth and OIDC specific requirement, or is it in general token validation requirement?
I personally would like to address with general requirement for tokens, with OIDC as an example if needed. See https://github.com/OWASP/ASVS/issues/1967#issuecomment-2351456688
Seems duplicate of #1826 or at least related.
As per the discussion in https://github.com/OWASP/ASVS/issues/1969. From https://openid.net/specs/openid-connect-discovery-1_0.html#Security:
We can have a requirement such as this:
Verify that relying parties ensure that the issuer URL they are using for the configuration request exactly matches the value of the issuer claim in the OpenID provider metadata document received by the relying party, and that this also exactly matches the iss claim value in ID tokens that are supposed to be from that issuer.
@elarlang