Issuer validation by Tools in the Ref. Imp.
Issuer validation by Tools in the Ref. Imp.
I see the following in the 1EdTech Security Spec:
5.1.3 Authentication Response Validation
Tools MUST validate the ID Token in the token response in the following manner:
The Tool MUST Validate the signature of the ID Token according to JSON Web Signature [RFC7515], Section 5.2 using the Public Key from the Platform;
The Issuer Identifier for the Platform MUST exactly match the value of the iss (Issuer) Claim (therefore the Tool MUST previously have been made aware of this identifier);
...
When we create a tool in the reference implementation, we never fill out any information for a platform issuer.
Is this actually being validated in the reference implementation, or somehow done implicitly?
Thanks!