dmitrizagidulin
commented
3 years ago Hi @ghost,
Thanks for opening the issue!
It would be feasible to use the azp field for something else, sure. What specifically do you have in mind?
Open ghost opened 4 years ago
dmitrizagidulin
commented
3 years ago Hi @ghost,
Thanks for opening the issue!
It would be feasible to use the azp field for something else, sure. What specifically do you have in mind?
dmitrizagidulin
commented
3 years ago Hi @ghost, just wanted to check in to make sure this issue is still relevant for you; I'm planning to close it in about a week, if not.
Hello,
The Solid project has a specification of the webid-oidc protocol [1] in which the aud field of the id_token contains the origin of the redirect_uri. This is very useful because we could check that the further restrictions based on the Origin header in the access control layer of the Solid server cannot be bypassed by simply removing the Origin header (i.e. using the token in a script).
In the mean time, I cannot help but notice that the 'azp' field contains the same information as the 'aud' field, so using it for something different would not lead to a loss of information.
Would it be feasible to do that?
[1] https://github.com/solid/webid-oidc-spec/blob/master/application-user-workflow.md