[Openid-specs-ab] Issue #867: Registration Section 2 id_token_signed_response_alg (openid/connect)

John Bradley issues-reply at bitbucket.org
Thu Aug 15 03:31:02 UTC 2013

New issue 867: Registration Section 2 id_token_signed_response_alg

John Bradley:

Remove with the exception of "none" for valid algs.  If a client requests no signature the server should be allowed to do it.  For performance reasons a server only supporting the code flow might have clients register for none and avoid the RS256 signing if the clients don't need it.

The server MUST sign if the id_token  is issued in the front channel, or the client has not configured itself out of band or through dynamic client registration for a alg of none.

The none parameter needs to also be allowed in discovery.

More information about the Openid-specs-ab mailing list