Impact
The OIDC validation within the bonsai-pay application does not sufficiently validate OIDC JWT responses. Currently, only the claim structure and signature against the key are validated which can lead to issues related to the expiration of identity attestations.
At a minimum proving and claiming is possible using an expired token.
Patches
There is no current patch for this validation issue.
Workarounds
Do not use bonsai pay in a production capacity without thorough security analysis and increased OIDC validation.
Impact
The OIDC validation within the bonsai-pay application does not sufficiently validate OIDC JWT responses. Currently, only the claim structure and signature against the key are validated which can lead to issues related to the expiration of identity attestations.
At a minimum proving and claiming is possible using an expired token.
Patches
There is no current patch for this validation issue.
Workarounds
Do not use bonsai pay in a production capacity without thorough security analysis and increased OIDC validation.