0

I'm in context of managing an openId jws, and I'm not sure about how to verify the aud claim.

In details, suppose that I've an application id myapp.site.com and I receive an aud which value is myapp.site.com|*|ANY. I've not found specifications about this format, but reading the aud specification into https://openid.net/specs/openid-connect-core-1_0.html#IDToken I've supposed to explode the string myapp.site.com|*|ANY using the "pipe" as separator, and then verify if this array contains the aspected client id (ie myapp.site.com).

My question is: whatabout the * and ANY? there's some specifications about this format? where can I retrieve informations?

Thanks in advance,

Sim.

Sim Sca
  • 413
  • 7
  • 18

1 Answers1

1

That looks like a custom thing that is not a standard that I have seen anywhere else, so I guess its up to you to parse it as it is. At the same time the purpose of the audience is for the receiver of a token to be sure the token is aimed for it and not someone else. So its a security risk to accept any token even if the signature is valid.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Thank you for your reply. I understand the goal of this claim infact my only doubt was about it's value, but I accept "that looks like a custom thing [...]" so thank you again. – Sim Sca Aug 12 '20 at 13:12