[Openid-specs-ab] Two issues on id_token_hint [1]

Mike Jones Michael.Jones at microsoft.com
Sat Nov 22 18:34:06 UTC 2014 

It has to be an algorithm advertised by the server using a key advertised by the server.  I agree that we should have probably had a different discovery property for this, but I think the best we can do at present is to use algorithms listed in request_object_encryption_alg_values_supported and request_object_encryption_enc_values_supported, or if these aren't present, those listed in id_token_encryption_alg_values_supported and id_token_encryption_enc_values_supported.

There will also have to be appropriate keys listed in the server's jwks_uri document.  They should have "use":"enc".  Those may have "alg" values on them as well, but that's optional.

				-- Mike

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Roland Hedberg
Sent: Friday, November 21, 2014 11:59 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Two issues on id_token_hint [1]

Hi!

In the core spec it’s stated:

”The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.”

It’s not clear to me which algorithms that can/should be used by the client.

In client registration, the client and server using id_token_encrypted_response_alg & id_token_encrypted_response_enc agrees on what to use when the server encrypts en IdToken for the client.

There is nothing agreed on when the client is encrypting something for the server.

That leads to two possible interpretations:
1) The id_token_encrypted_response_alg & id_token_encrypted_response_enc should also be used when the client encrypts IdTokens for the server.

2) The client is free to use whatever algorithms the server has published using id_token_encryption_alg_values_supported and id_token_encryption_enc_values_supported
in the discovery phase given that the client has suitable keys.

I think we should make clear which behavior we expect.

— Roland

”Being able to think like a child is an important attribute of being an adult” - Eddie Izzard

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list