[Openid-specs-ab] Issue #1063: Guidance around algorithm migration (openid/connect)
Dave Tonge
issues-reply at bitbucket.org
Thu Jan 17 04:38:14 UTC 2019
New issue 1063: Guidance around algorithm migration
https://bitbucket.org/openid/connect/issues/1063/guidance-around-algorithm-migration
Dave Tonge:
We discussed this briefly on the FAPI call yesterday. Currently the UK OpenBanking ecosystem is going through a migration from RS256 to PS256 algorithms for both the signing of ID Tokens and of Request Objects.
The current OpenID Connect Dynamic Client Registration spec defines the following Client metadata parameters:
- `id_token_signed_response_alg`
- `request_object_signing_alg`
- `token_endpoint_auth_signing_alg`
- `userinfo_signed_response_alg`
as single values. This is problematic when it comes to a smooth migration as it implies that an OP should only ever sign ID Tokens with a single algorithm for a particular Client and that the Client should only sign request objects with a single algorithm.
To enable smoother migration it would be better for OPs to be able to signal to Clients that there are two algorithms they may use to sign ID Tokens and the Client should be prepared to accept either signing algorithm. Likewise the Client should be able to signal to the OP that there are two signing algorithms that it may use to sign request objects and the OP should accept either. This would prevent a hard switchover which would be likely to result in some maintenance downtime.
Is it possible to add some guidance around this?
More information about the Openid-specs-ab
mailing list