如果我们在 OIDC 流程中获得 Id 令牌和访问令牌,如下所示:
标识令牌:
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"auth_time": 1311280969,
"acr": "urn:mace:incommon:iap:silver"
"amr": ["mfa", "pwd","otp"]
}
访问令牌:
{
"iss": "https://cas.nhs.uk",
"sub": "https://fhir.nhs.uk/Id/sds-role-profile-id"|[SDSRoleProfileID]",
"aud": "https://provider.thirdparty.nhs.uk/GP0001/STU3/1",
"exp": 1469436987,
"iat": 1469436687,
"reason_for_request": "directcare",
"requested_scope": "patient/*.read",
"requesting_system": "https://fhir.nhs.uk/Id/accredited-system|[ASID]",
"requesting_organization": "https://fhir.nhs.uk/Id/ods-organization-code|[ODSCode]",
"requesting_user": "https://fhir.nhs.uk/Id/sds-role-profile-id"|[SDSRoleProfileID]"
}
来自 Id 令牌的“sub”声明应该与 Access 令牌中的“sub”声明匹配是否是一个有效的假设?还是它们都是单独的表示?
我们是否甚至在资源服务器上执行此类验证以确保它们都形成一对并针对同一个用户会话发出?