dxbjavid opened a new pull request, #3166: URL: https://github.com/apache/cxf/pull/3166
Noticed OidcClaimsValidator only checks the azp claim when it is present. A multi-audience ID token that omits azp is accepted as long as the aud array contains the client id, so a token minted for a different relying party can be replayed here. OIDC Core 3.1.3.7 requires azp to be present once a token lists more than one audience; this rejects that case while leaving single-audience tokens unchanged. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
