[Openid-specs-ab] Question about secret_type: JWT

John Bradley ve7jtb at ve7jtb.com
Thu Aug 25 16:21:35 UTC 2011


Yes if we keep tis we need to have:
aud
iss
exp 
and perhaps a specific typ 

It should probably be part of a profile for using openID Connect with asymmetric signatures as an extension.

John B.
On 2011-08-25, at 3:53 AM, Andreas Åkre Solberg wrote:

> 
> On 25. aug. 2011, at 06:39, John Bradley wrote:
> 
>> Yes the idea is to use JWS to avoid directly disclosing the secret as is done with basic in the symmetric key case.
>> 
>> OAuth dosent define a asymetric authentication to the token endpoint.
>> 
>> The plan was to define a JWT with a single claim of code that would be signed by the RP.
> 
> OK.
> 
> My main point is that, I think there are security issues with that, unless you also require or reccomends that the JWT iss and aud headers are present (I don't think they are in the JWT spec).
> 
> Andreas
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/57f5ad10/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/57f5ad10/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list