[OpenID] OpenID Information Card - OpenIDToken encryption
Johnny Bufu
johnny at sxip.com
Fri Feb 22 17:26:58 UTC 2008
On 21-Feb-08, at 9:55 PM, Prabath Siriwardena wrote:
> In the case of Information cards with SAML token type, we encrypt the
> SAML assertions, so - at the RP end it will receive an encrypted
> "xmlToken".
>
> But, I've being testing with an OpenID Information card, downloaded
> from https://openidcards.sxip.com/TokenService/ - and it seems this
> has not encrypted the 'xmlToken' - that is I received the 'xmlToken'
> in clear text.
>
> Can you please explain a bit on this.. or is this just for the
> testing purpose?
The Infocard OpenID provider does not encrypt the OpenID tokens, by
design.
Once an unencrypted token reaches the identity selector, it then has
the choice of encrypting it or submitting it as is to the RP
(Cardspace does the former).
It is not very clearly spelled out in the infocard specs though.
Johnny
More information about the general
mailing list