[Openid-specs-ab] RP Tests: ID Token signature validation for code flow

William Denniss wdenniss at google.com
Sun Mar 26 18:13:28 UTC 2017


Regarding the 'code' response type tests
<https://rp.certification.openid.net:8080/list?profile=C>, my understanding
is that it's not necessary to validate the ID Token signature as it was
obtained via a HTTPS connection to the OP.

This test follows that logic:
rp-id_token-sig-none

However, these 4 tests assume signature validation for the code flow:
rp-id_token-kid-absent-single-jwks
rp-id_token-kid-absent-multiple-jwks
rp-id_token-bad-sig-rs256
rp-id_token-sig-rs256

Can they be made optional for the 'code' response type tests?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170326/2a80c9ed/attachment.html>


More information about the Openid-specs-ab mailing list