[Openid-specs-fapi] Issue #277: FAPI-RW: Is disallowing signed id_tokens allowed? (i.e. always used signed+encrypted) (openid/fapi)
issues-reply at bitbucket.org
Wed Jan 22 00:15:52 UTC 2020
New issue 277: FAPI-RW: Is disallowing signed id_tokens allowed? (i.e. always used signed+encrypted)
> shall support signed ID Tokens;
> should support signed and encrypted ID Tokens;
I’m not sure whether to read this as “must support either JWS or JWE id\_tokens”, or if it’s “must support JWS and may support JWE”.
i.e. can authorization servers opt to always use encryption?
Naively I can’t see any reason to rule out going all-in on encryption, unless it’s for interoperability reasons. \(and if it is for interoperability, it might be worth adding a note to that effect.\)
More information about the Openid-specs-fapi