4.3.4 Ensure 'disableIssChecking' issuer claim is set to 'false' in the RP (Relying Party)

Information

The issuer claim in the JWT token is used by the RP (relying party) to verify the OP (OIDC provider) token issuer.

The issuer claim in a JSON Web Token (JWT) should be required and validated by the OpenID Connect relying party. This helps to ensure the authenticity of the JWT by matching the issuer claim to the name attribute or the redirect attribute of the client configuration in the OpenID Connect server provider.

Solution

Add the disableIssChecking attribute to the openidConnectClient element to ${server.config.dir}/configDropins/overrides/*.xml Set the disableIssChecking attribute value to false to ensure that issuer claim checking for JSON Web Tokens occurs.

<openidConnectClient disableIssChecking="false" />

See Also

https://workbench.cisecurity.org/benchmarks/7724

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12

Plugin: Unix

Control ID: b2e08b77300be43d11f422b8b868aed62dd03b79886055acc72e50df5162627e