[Openid-specs-ab] Question about secret_type: JWT
Andreas Åkre Solberg
andreas.solberg at uninett.no
Wed Aug 24 04:56:23 UTC 2011
REDIRECT-05 Section 3.1.5 mentions the secret_type JWT:
> If the secret_type is "basic", send the pre-shared secret. If the secret_type is "JWT", send the compact serialization of the JWT [JWT] Signature over the 'code'.
Is this method described somewhere in more details?
It says JWT signature, but there is no JSON input? Does it mean JWS signature over the code string?
Getting the consumer to sign something that the Provider presents, may be risky. May be not if a shared key is used, but if the consumer have a key-pair that it uses against multiple services. I'm thinking that the Provider can get a consumer to sign a code that the provider has received from a different provider; being able to impersonate the user.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab