[Openid-specs-ab] key usage
sakimura at gmail.com
Fri Aug 17 01:47:00 UTC 2012
Yes. To be exact, other than HS256, HS384, or HS512.
On Thu, Aug 16, 2012 at 4:37 PM, Roland hedberg <roland at catalogix.se> wrote:
> OK, so I can answer my own question :-/
> According to http://openid.net/specs/openid-connect-messages-1_0.html
> section 5.2 bullet point 6 :
> For other Signing algorithms, the Client must use the signing key
> provided in Discovery by the Issuer. The issuer must exactly match the
> value of the iss (issuer) Claim.
> I guess other refers to other then HMAC.
> Room for a new test case :-)
> -- Roland
> Roland Hedberg skrev 2012-08-16 09:31:
> > Hi!
> > I've just encountered this problem and I'm not sure we've decided how to
> > cope with it.
> > The example is with Edmund's OP but that is immaterial, I have the same
> > problem with other OPs.
> > When my RP gathers information about the OP, that information has an
> > issuer. In Edmund's case "https://connect.openid4.us/".
> > My RP then gathers the keys published by the OP and stores them as owned
> > by the issuer.
> > Later I get an ID Token from the OP with 'iss' defined as
> > 'https://connect.openid4.us/abop' which is not the same as the 'owner'
> > of the OPs keys.
> > So, what to do ?
> > Am I supposed to do a leading substring match with the OP information
> > issuer or am I to check against the endpoints of the OP or is the
> > assumption that the issuer of the OP information should be the same as
> > the issuer of the ID Token ?
> > -- Roland
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab