Status: Closed (View Workflow)
Affects Version/s: 1.0.1.Final
Fix Version/s: 1.2.0.Beta1
Steps to Reproduce:
The OIDC Android sample client is used for testing the user flow:
More info in the user mailing list:
According to the basic client implementation, a client must validate the ID Token (http://openid.net/specs/openid-connect-basic-1_0-23.html#id_token) received from the server.
The client MUST validate the ID Token in the Token Endpoint Response. To do this, the Client can split the id_token at the period (".") characters, take the second segment, and base64url decode it to obtain a JSON object containing the ID Token claims, which MUST be validated as follows:
- The Client MUST validate that the iss (issuer) Claim is valid for the Token Endpoint that the id_token was received from.
- The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the client.
- The current time MUST be less than the value of the exp Claim (possibly allowing for some small leeway to account for clock skew).
- The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces must be stored to prevent attacks. The acceptable range is Client specific.
- If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate. The meaning and processing of acr Claim Values is out of scope for this specification.
- If the auth_time Claim was requested, the Client SHOULD check the value and request re-authentication if it determines too much time has elapsed since the last user authentication.
This is a sample ID Token from Keycloak:
Keycloak is returning at least 2 wrong values:
- iss is returning the Realm name
- aud is returning the Realm name