[Openid-specs-fapi] Issue #208: Part 2 should limit allowed JWE algorithms (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Wed Jan 9 10:42:37 UTC 2019

New issue 208: Part 2 should limit allowed JWE algorithms

Joseph Heenan:

The current spec says:

> JWS algorithm considerations
> Both clients and authorisation servers:
> shall use PS256 or ES256 algorithms;
> should not use algorithms that use RSASSA-PKCS1-v1_5 (e.g. RS256);
> shall not use none;

I think it's an oversight that this says "JWS" at the start. I think It was intended to cover JWE too. Simplest fix is to tweak the section title to say "JWS/JWE considerations".

More information about the Openid-specs-fapi mailing list