[Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?
Torsten Lodderstedt
torsten at lodderstedt.net
Sun Nov 9 11:46:20 UTC 2014
Hi Nov,
I don't think there is a need to limit ID token protection in the
migration spec to asymmetric signatures. HMAC or TLS (for direct
communication/grant type code) also work.
I therefore created a tracker issue to remove this constraint.
https://bitbucket.org/openid/connect/issue/964/id-token-protection-rules-already-defined
kind regards,
Torsten.
Am 06.11.2014 10:06, schrieb nov matake:
> Section 4 of migration spec says
>
> ==
> If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found,
> then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token with the following claim name
> ==
>
> but I couldn’t find the reason why it must be “asymmetric”.
>
> ps.
> Yahoo! Japan uses HS256 in their Connect implementation, so the requirement might be hard for them to support migration spec.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list