[Openid-specs-ab] RP Test
Nat Sakimura
sakimura at gmail.com
Tue Feb 10 03:08:36 UTC 2015
Hi.
I suppose we should either drop or relax the following. They are not
required in Basic.
rp-idt-kid-absent
rp-idt-kid
rp-alg-rs256
rp-alg-none
Also, I am wondering if the following is accurately reflecting the
standard.
"Uses https for all endpoints unless only using code flow"
(It has no identifier assigned to it.)
Section 3.1.2 states:
Communication with the Authorization Endpoint MUST utilize TLS. See
Section 16.17
<http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements> for
more information on using TLS.
Section 3.1.3 states:
Communication with the Token Endpoint MUST utilize TLS. See Section 16.17
<http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements> for
more information on using TLS.
Section 5.3 states:
Communication with the UserInfo Endpoint MUST utilize TLS. See Section 16.17
<http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements> for
more information on using TLS.
Looks like we are mandating to use TLS regardless of the flow.
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150210/c9da7926/attachment.html>
More information about the Openid-specs-ab
mailing list