Hi all, In OIDC Hybrid flow there are some validations that need to be done when two id_tokens are issued. This happens only when response_type is equal to "code id_token" or "code id_token token".
The specification[1] state that; 1. “iss” and “sub” claims values must be identical in two id_tokens. 2. If either ID Token contains claims about the End-User, any that are present in both should have the same values in both. 3. All Claims about the Authentication event present in either should be present in both. In our current implementation we do not store the id_token value. We store an access token and put user attributes against that access token in the cache and build the id_token .If a service provider(SP) configuration such as subject identifier is changed that previous cache entry will be removed from the cache. So when one id_token is issued and, while the authorization code is not expired if a SP's subject identifier configuration is changed, the next id_token's sub value will be changed. and it will be a specification violation. But an authorization code is only valid for 5 minutes and the previously explained scenario is very unlikely to happen within 5 minutes. After a discussion with team members, we decided to skip the "iss" validation. [1] - http://openid.net/specs/openid-connect-core-1_0.html Thanks. -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : [email protected] <[email protected]>* *Mobile : +94713850143 <+94%2071%20385%200143>[image: http://wso2.com/signature] <http://wso2.com/signature>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
