What is the change?
Signed, Encrypted and Signed-then-encrypted requests should have a valid Issuer (iss) and Audience (aud) in the request.
A valid iss is a valid client_id.
A valid aud is a EIdent issuer url of respective env i.e https://www.ident-preprod1.nets.eu/oidc for Pre-Production and https://www.e-ident.nets.eu/oidc for Production.
Signed and Signed-then-encrypted requests already have a validation on ExpirationTime (exp) and IssuedAt (iat) request parameters, where it will throw error if invalid value is passed. Now Encrypted request will also have same validation.
What this means to customers?
Customers can expect an additional check for the request where it would be mandatory to pass a valid iss and aud in the request for Signed, Encrypted and Signed-then-encrypted requests. If iss and aud is not passed or an invalid value is passed then customer can get a validation error. Additionally, Encrypted request will have validation on exp and iat where if an invalid value is passed then customer can get a validation error like how it is already doing for Signed and Signed-then-encrypted requests.
Planned date for pre-production: September 09, 2026
Planned date for production: October 1, 2026
Need help/Have questions:
Please reach out to https://ingroupe.com/in-trust-services-support-contact-page/