[Openid-specs-ab] Issue #1502: [Federation] id_token_signing_alg? (openid/connect)
Takahiko Kawasaki
issues-reply at bitbucket.org
Mon May 23 20:52:38 UTC 2022
New issue 1502: [Federation] id_token_signing_alg?
https://bitbucket.org/openid/connect/issues/1502/federation-id_token_signing_alg
Takahiko Kawasaki:
In [Section 5.1. Metadata Policy](https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.5.1) and [Section 5.1.8. Policy Example](https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.5.1.8) of [OpenID Connect Federation 1.0](https://openid.net/specs/openid-connect-federation-1_0.html), `id_token_signing_alg` is used as an example of metadata. Is it correct?
[OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) defines `id_token_signed_response_alg`. [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) defines `id_token_signing_alg_values_supported`. It seems better to change `id_token_signing_alg` to either `id_token_signed_response_alg` or `id_token_signing_alg_values_supported` unless `id_token_signing_alg` is used intentionally as a virtual metadata for some reasons.
I guess that `id_token_signing_alg` in Section 5.1 intends to be `id_token_signing_alg_values_supported` and that `id_token_signing_alg` in Section 5.1.8 intends to be `id_token_signed_response_alg`. And if so, because the type of `id_token_signed_response_alg` is not a JSON array, the example in Section 5.1.8. seems inappropriate.
More information about the Openid-specs-ab
mailing list