Skip to content

Validation of Aggregated Userinfo Claims #453

New issue
New issue
Open
Open
Validation of Aggregated Userinfo Claims#453
Labels
bug
@maennchen

Description

@maennchen
maennchen
opened on Jun 2, 2025

oidcc version

latest

Erlang version

any

Elixir version

any

Summary

  • Certification Suite: oidcc-client-test-plan
  • Certification Test: oidcc-client-test-aggregated-claims

The certification test contains an aggregated JWT Userinfo Claim with an unsigned Token.

Current behavior

Validation Fails

How to reproduce

Run oidcc-client-test-aggregated-claims test

Expected behavior

Spec: https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims

§ 5.6.2. Aggregated and Distributed Claims
...
An iss (issuer) Claim SHOULD be included in any JWT issued by a Claims Provider so that the Claims Provider's keys can be retrieved for signature validation of the JWT. The value of the Claim is the Claims Provider's Issuer Identifier URL.
...

Based on this i assume:

  • Validation is not according to userinfo rules.
  • Instead:
    • none is valid
    • If iss present, load config / JWKs and validate using the rules of that iss.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions