[Openid-specs-ab] Issue #1546: query over updating certification tests to allow unsigned id_tokens (openid/connect)

[josephheenan]

New issue 1546: query over updating certification tests to allow unsigned id_tokens
https://bitbucket.org/openid/connect/issues/1546/query-over-updating-certification-tests-to

Joseph Heenan:

The certification team would appreciate guidance over a recent issue that was opened: [https://gitlab.com/openid/conformance-suite/-/issues/1054](https://gitlab.com/openid/conformance-suite/-/issues/1054)

Essentially this is an OP that uses `response_type=code` and returns an unsigned \(alg none\) id\_token from the token endpoint.

This is permitted by the OpenID Connect standard, but the java certification suite has never allowed it \(not entirely as a conscious decision, nimbus-jose-jwt requires extra code to be written to opt into supporting alg none and that code had never been written\). I’m not sure if the python suite had previously allowed this or not.

Given the various changes to the OIDCC certification tests that the WG has previously asked to be made around making supporting alg: none optional for RPs&OPs \(various tickets linked from [https://gitlab.com/openid/conformance-suite/-/issues/878](https://gitlab.com/openid/conformance-suite/-/issues/878) \) it seemed best for us to check with the WG before allowing alg: none in this case.

If we were to allow alg: none here, I’d imagine we should make the test go to ‘WARNING’ status \(which still permits certification\) with a message saying something like that any use of alg:none is considered to be a well known cause of security vulnerabilities and is known to not be interoperable.

\(As per the gitlab issue, we’d also need to support OPs that don’t have a jwks\_uri, but that seems less controversial than the above.\)

‌