You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Solid project has a specification of the webid-oidc protocol [1] in which the aud field of the id_token contains the origin of the redirect_uri. This is very useful because we could check that the further restrictions based on the Origin header in the access control layer of the Solid server cannot be bypassed by simply removing the Origin header (i.e. using the token in a script).
In the mean time, I cannot help but notice that the 'azp' field contains the same information as the 'aud' field, so using it for something different would not lead to a loss of information.
Hello,
The Solid project has a specification of the webid-oidc protocol [1] in which the aud field of the id_token contains the origin of the redirect_uri. This is very useful because we could check that the further restrictions based on the Origin header in the access control layer of the Solid server cannot be bypassed by simply removing the Origin header (i.e. using the token in a script).
In the mean time, I cannot help but notice that the 'azp' field contains the same information as the 'aud' field, so using it for something different would not lead to a loss of information.
Would it be feasible to do that?
[1] https://github.com/solid/webid-oidc-spec/blob/master/application-user-workflow.md
The text was updated successfully, but these errors were encountered: