[Openid-specs-ab] id_token_signed_response_alg=none and response_type=id_token

Brian Campbell bcampbell at pingidentity.com
Fri Oct 19 20:15:48 UTC 2012

What should happen when a client registers with
id_token_signed_response_alg=none and then makes an authorization request
with response_type=id_token or any response type that would pass the id
token though the front channel?

This seems like it'd be an error condition (invalid_request maybe?) but I
didn't see anything about it in the specs (please correct me, if I'm wrong).

Is there some case where it'd be ok to pass a non integrity protected id
token though the front channel?
Do the specs need to say something about this? Or is it left up to
implementation deployment?
Am I missing something here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121019/8a779a68/attachment.html>

More information about the Openid-specs-ab mailing list