1

I have added bearer token authentication on an API for a client. In the access token that's sent to the API, the issuer is this: http://[some-domain.com]/adfs/services/trust.

Is the identity provider configured incorrectly or in an unsafe way when this URL is on HTTP, and not HTTPS? Or is this simple just a string, not used to make requests, and thus it doesn't matter if it says HTTP?

ptf
  • 145
  • 7

1 Answers1

2

The iss claim is a string or URI, which means that the service receiving the token will use it to determine whether to trust the token or not by comparing the value to a list of issuers it is configured to trust.

The string comparison should follow the rules described in RFC 3986

The value is not a URL, so the value does not point to any real resource on the network.

See RFC 7519 for more information on JWT and standard claims.

MvdD
  • 17,926
  • 5
  • 51
  • 83
  • If its an URI, how cannot be an URL? – Whimusical Mar 26 '21 at 23:32
  • @Whimusical see https://stackoverflow.com/q/176264/18044 – MvdD Mar 27 '21 at 15:35
  • I mean, if iss can be an uri, then it can be an url. Why do you say the value 'http://[some-domain.com]/adfs/services/trust' is not a valid URL? Or perhaps I interpreted wrong your answeer – Whimusical Mar 28 '21 at 13:54
  • @Whimusical a URL points to something you get access via an HTTP request. An URI is an abstraction that may look like a URL but cannot actually be accessed on the internet. – MvdD Mar 29 '21 at 15:01
  • Then, using "http://[some-domain.com]/adfs/services/trust" as iss is valid or not? – Whimusical Mar 29 '21 at 17:36
  • 1
    If it's an existing URL, it is automatically an valid URI (not vice versa). So yes, that is valid. The original question was whether using http instead of https was unsafe. But the receiving server does not access that URL, so it does not matter. – MvdD Mar 29 '21 at 22:30
  • Ah okkk. I think I get you now, I just misunderstood it. Thanks and my apologies – Whimusical Mar 29 '21 at 22:40