Hi,
+1 to AppAuth
One disturbing pattern I see for mobile apps relaying the idtoken is
that the aud isn't checked by the AS in the Oauth exchange. This in
part caused by the fact that the mobile app has two client-id
identifiers. If the aud only has the clientid for the OIDC call this
can be a problem if the AS doesn't know what that id is (since it
didnt issue the id). If the issued id token does not have an aud value
the AS can recognize it should be rejected.
Is the AppAuth pattern documented somewhere? There's a chance I may not
be able to use Google's libraries...
Best regards,
Dario Teixeira
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
