[Openid-specs-ab] RP Tests: ID Token signature validation for code flow
Michael.Jones at microsoft.com
Sun Mar 26 20:29:59 UTC 2017
One thought is that this maybe should depend upon how the RP registers. If it registers with support for signature algorithms, then that support should be tested – even for response_type=code. If it registers only with support for “alg”: “none”, then it obviously can’t be tested then.
My logic is that if the RP can check signatures, the OP provides a bad signature, and the RP doesn’t catch it, that seems like a scenario what shouldn’t pass certification. Let’s talk about this in person in Chicago this week. I’d love to hear what others think about this as well.
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of William Denniss via Openid-specs-ab
Sent: Sunday, March 26, 2017 11:13 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] RP Tests: ID Token signature validation for code flow
Regarding the 'code' response type tests<https://rp.certification.openid.net:8080/list?profile=C>, my understanding is that it's not necessary to validate the ID Token signature as it was obtained via a HTTPS connection to the OP.
This test follows that logic:
However, these 4 tests assume signature validation for the code flow:
Can they be made optional for the 'code' response type tests?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab