IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

ISVA 10.0.6.0 - OIDC Token response location header changed?

  • 1.  ISVA 10.0.6.0 - OIDC Token response location header changed?

    Posted Tue July 18, 2023 07:34 AM

    Dear All,

    We have recognized that after ISVA upgrade once we have call TOKEN endpoint end request  token we have got extra parameter in response header in location attribute.

    Before upgrade:

    https://dummy#state=state&id_token=eyJ0e_XXXX


    After upgrade: 

    https://dummy#state=state&id_token=eyJ0e_XXXX&iss=httpsXXXX

    • Is this an expected behavior? 
    • If yes, can we turn it OFF?

    Regards,



    ------------------------------
    Janos Laszlo Horvath
    ------------------------------


  • 2.  RE: ISVA 10.0.6.0 - OIDC Token response location header changed?

    Posted Tue July 18, 2023 07:21 PM

    Hi Janos,

    This is expected behavior. The OAuth 2.0 Security Best Practice recommends the use of iss in the authorization response.
    https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1

    https://www.ibm.com/docs/en/sva/10.0.6?topic=conformance-oauth-20-security-best-current-practice

    No there is not way to turn it off since its a security enhancement based on a specification.

    Regards,

    Sumana



    ------------------------------
    Sumana Narasipur
    ------------------------------

    Original Message


Related Content