[Openid-specs-ab] RP Tests: ID Token signature validation for code flow

[Mike Jones]

One thought is that this maybe should depend upon how the RP registers.  If it registers with support for signature algorithms, then that support should be tested – even for response_type=code.  If it registers only with support for “alg”: “none”, then it obviously can’t be tested then.

My logic is that if the RP can check signatures, the OP provides a bad signature, and the RP doesn’t catch it, that seems like a scenario what shouldn’t pass certification.  Let’s talk about this in person in Chicago this week.  I’d love to hear what others think about this as well.

                                                       -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of William Denniss via Openid-specs-ab
Sent: Sunday, March 26, 2017 11:13 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] RP Tests: ID Token signature validation for code flow

Regarding the 'code' response type tests<https://rp.certification.openid.net:8080/list?profile=C>, my understanding is that it's not necessary to validate the ID Token signature as it was obtained via a HTTPS connection to the OP.

This test follows that logic:
rp-id_token-sig-none

However, these 4 tests assume signature validation for the code flow:
rp-id_token-kid-absent-single-jwks
rp-id_token-kid-absent-multiple-jwks
rp-id_token-bad-sig-rs256
rp-id_token-sig-rs256

Can they be made optional for the 'code' response type tests?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170326/0c1398da/attachment.html>