In this spec we state that attributes MUST be "stringOrURI" values and reference JWS spec for details.
In JWS it states:
A JSON string value, with the additional requirement that while arbitrary string values MAY be used, any value containing a ":" character MUST be a URI [RFC3986]. StringOrURI values are compared as case-sensitive strings with no transformations or canonicalizations applied.
However, in practice no implementations are actually performing this check. None of the major js packages perform this validation, and additionally the AzureAD .net implementation has not as well.
I'd suggest that we instead specify that the attribute values must be strings and call it a day.
In this spec we state that attributes MUST be "stringOrURI" values and reference JWS spec for details.
In JWS it states:
However, in practice no implementations are actually performing this check. None of the major js packages perform this validation, and additionally the AzureAD .net implementation has not as well.
I'd suggest that we instead specify that the attribute values must be strings and call it a day.