[Openid-specs-ab] RP Test

Nat Sakimura sakimura at gmail.com
Tue Feb 10 03:08:36 UTC 2015


Hi.

I suppose we should either drop or relax the following. They are not
required in Basic.

rp-idt-kid-absent
rp-idt-kid
rp-alg-rs256
rp-alg-none

Also, I am wondering if the following is accurately reflecting the
standard.

"Uses https for all endpoints unless only using code flow"
(It has no identifier assigned to it.)

Section 3.1.2 states:
Communication with the Authorization Endpoint MUST utilize TLS. See
Section 16.17
<http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements> for
more information on using TLS.

Section 3.1.3 states:
Communication with the Token Endpoint MUST utilize TLS. See Section 16.17
<http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements> for
more information on using TLS.

Section 5.3 states:
Communication with the UserInfo Endpoint MUST utilize TLS. See Section 16.17
<http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements> for
more information on using TLS.

Looks like we are mandating to use TLS regardless of the flow.


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150210/c9da7926/attachment.html>


More information about the Openid-specs-ab mailing list