[Openid-specs-ab] key usage

Nat Sakimura sakimura at gmail.com
Fri Aug 17 01:47:00 UTC 2012


Yes. To be exact, other than HS256, HS384, or HS512.

On Thu, Aug 16, 2012 at 4:37 PM, Roland hedberg <roland at catalogix.se> wrote:

> OK, so I can answer my own question :-/
>
> According to http://openid.net/specs/openid-connect-messages-1_0.html
> section 5.2 bullet point 6 :
>
> For other Signing algorithms, the Client must use the signing key
> provided in Discovery by the Issuer. The issuer must exactly match the
> value of the iss (issuer) Claim.
>
> I guess other refers to other then HMAC.
>
> Room for a new test case :-)
>
> -- Roland
>
> Roland Hedberg skrev 2012-08-16 09:31:
> > Hi!
> >
> > I've just encountered this problem and I'm not sure we've decided how to
> > cope with it.
> >
> > The example is with Edmund's OP but that is immaterial, I have the same
> > problem with other OPs.
> >
> > When my RP gathers information about the OP, that information has an
> > issuer. In Edmund's case "https://connect.openid4.us/".
> >
> > My RP then gathers the keys published by the OP and stores them as owned
> > by the issuer.
> >
> > Later I get an ID Token from the OP with 'iss' defined as
> > 'https://connect.openid4.us/abop' which is not the same as the 'owner'
> > of the OPs keys.
> >
> > So, what to do ?
> >
> > Am I supposed to do a leading substring match with the OP information
> > issuer or am I to check against the endpoints of the OP or is the
> > assumption that the issuer of the OP information should be the same as
> > the issuer of the ID Token ?
> >
> > -- Roland
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> >
> >
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120817/1bd96a69/attachment.html>


More information about the Openid-specs-ab mailing list