[SIOP] Define what happens in case iss is not https://self-issued.me

decentralized-identity / papers

Notes, ideas, and write-ups from DIF members and collaborators

Apache License 2.0

40 stars 7 forks source link

[SIOP] Define what happens in case iss is not https://self-issued.me #8

Closed awoie closed 5 years ago

awoie commented 5 years ago

If iss contains a different value than https://self-issued.me, then the id_token IS NOT an SIOP id_token anymore. Instead it MUST be validated according to the rules as defined in ID Token Validation. We have to check with the OIDC people whether this is applicable.

selfissued commented 5 years ago

Per https://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedResponse, the "iss" value in a self-issued ID Token must be "https://self-issued.me". The self-issued response must be rejected if it is not.

awoie commented 5 years ago

Thank you. We can close that issue.