[Openid-specs-ab] Two issues on id_token_hint [1]

Roland Hedberg roland.hedberg at umu.se
Sat Nov 22 20:56:14 UTC 2014 

> 22 nov 2014 kl. 19:34 skrev Mike Jones <Michael.Jones at microsoft.com>:
> 
> It has to be an algorithm advertised by the server using a key advertised by the server.  I agree that we should have probably had a different discovery property for this, but I think the best we can do at present is to use algorithms listed in request_object_encryption_alg_values_supported and request_object_encryption_enc_values_supported

request_object_encryption_* when it’s not the request object as a whole that is encrypted but only the IdToken ?
I would have expected it to be the id_token_encryption_* algorithms that was used and nothing else.

> , or if these aren't present, those listed in id_token_encryption_alg_values_supported and id_token_encryption_enc_values_supported.
> 
> There will also have to be appropriate keys listed in the server's jwks_uri document.  They should have "use":"enc".  Those may have "alg" values on them as well, but that's optional.
> 
> 				-- Mike
> 
> -----Original Message-----
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Roland Hedberg
> Sent: Friday, November 21, 2014 11:59 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Two issues on id_token_hint [1]
> 
> Hi!
> 
> In the core spec it’s stated:
> 
> ”The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.”
> 
> It’s not clear to me which algorithms that can/should be used by the client.
> 
> In client registration, the client and server using id_token_encrypted_response_alg & id_token_encrypted_response_enc agrees on what to use when the server encrypts en IdToken for the client.
> 
> There is nothing agreed on when the client is encrypting something for the server.
> 
> That leads to two possible interpretations:
> 1) The id_token_encrypted_response_alg & id_token_encrypted_response_enc should also be used when the client encrypts IdTokens for the server.
> 
> 2) The client is free to use whatever algorithms the server has published using id_token_encryption_alg_values_supported and id_token_encryption_enc_values_supported
> in the discovery phase given that the client has suitable keys.
> 
> I think we should make clear which behavior we expect.
> 
> — Roland
> 
> ”Being able to think like a child is an important attribute of being an adult” - Eddie Izzard
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

— Roland

”Being able to think like a child is an important attribute of being an adult” - Eddie Izzard

More information about the Openid-specs-ab mailing list