[Openid-specs-ab] Issue #1476: validation of 'alg' in backchannel logout token (openid/connect)
josephheenan
issues-reply at bitbucket.org
Wed Apr 20 16:53:35 UTC 2022
New issue 1476: validation of 'alg' in backchannel logout token
https://bitbucket.org/openid/connect/issues/1476/validation-of-alg-in-backchannel-logout
Joseph Heenan:
[https://openid.net/specs/openid-connect-backchannel-1\_0.html#Validation](https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation) says nothing about ‘alg’ and hence I believe clients are expected to follow OIDC id token validation, which says:
> The alg value SHOULD be the default of RS256 or the algorithm sent by the Client in the id\_token\_signed\_response\_alg parameter during Registration.”
the ‘should’ implying it is recommended but not required behaviour to check ‘alg’.
The certificate suite contains a test “rp-backchannel-rpinitlogout-lt-wrong-alg” which requires the client to reject a logout token which is signed with \[for a static client\] an alg other than RS256, implying this is required behaviour and not a ‘should’.
The logout spec should probably clarify how ‘alg’ must be verified, or we should change the certification test to only ‘warn’ rather than ‘fail’ when this test fails.
\(This was raised with the certification team by Raymond Field at Mvine\)
More information about the Openid-specs-ab
mailing list