[Openid-specs-ab] Dynamic client registration: Stating intent that request objects are mandatory

Vladimir Dzhuvinov vladimir at connect2id.com
Sun Jul 24 10:20:55 UTC 2016


The point of signed / signed+encrypted request objects is to provide
additional security, and my understanding is that clients registered
with "request_object_signing_alg" and / or "request_uris" must not be
allowed by the OP to make plain OpenID authentication requests. Am I
correct on this? (even though it's not stated in the OIDC specs)

Cheers,

Vladimir

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160724/cb57e660/attachment.p7s>


More information about the Openid-specs-ab mailing list