[Openid-specs-ab] Two issues on id_token_hint [1]

[Roland Hedberg]

Hi!

In the core spec it’s stated:

”The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.”

It’s not clear to me which algorithms that can/should be used by the client.

In client registration, the client and server using id_token_encrypted_response_alg & 
id_token_encrypted_response_enc agrees on what to use when the server encrypts en IdToken for the client.

There is nothing agreed on when the client is encrypting something for the server.

That leads to two possible interpretations:
1) The id_token_encrypted_response_alg & id_token_encrypted_response_enc should also be used
when the client encrypts IdTokens for the server.

2) The client is free to use whatever algorithms the server has published using
id_token_encryption_alg_values_supported and id_token_encryption_enc_values_supported  
in the discovery phase given that the client has suitable keys.

I think we should make clear which behavior we expect.

— Roland

”Being able to think like a child is an important attribute of being an adult” - Eddie Izzard