[Openid-specs-ab] RP Tests: ID Token signature validation for code flow
William Denniss
wdenniss at google.com
Sun Mar 26 18:13:28 UTC 2017
Regarding the 'code' response type tests
<https://rp.certification.openid.net:8080/list?profile=C>, my understanding
is that it's not necessary to validate the ID Token signature as it was
obtained via a HTTPS connection to the OP.
This test follows that logic:
rp-id_token-sig-none
However, these 4 tests assume signature validation for the code flow:
rp-id_token-kid-absent-single-jwks
rp-id_token-kid-absent-multiple-jwks
rp-id_token-bad-sig-rs256
rp-id_token-sig-rs256
Can they be made optional for the 'code' response type tests?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170326/2a80c9ed/attachment.html>
More information about the Openid-specs-ab
mailing list