[Openid-specs-ab] Issue #1662: id_token signature validation (openid/connect)
josephheenan
issues-reply at bitbucket.org
Thu Oct 6 12:19:32 UTC 2022
New issue 1662: id_token signature validation
https://bitbucket.org/openid/connect/issues/1662/id_token-signature-validation
Joseph Heenan:
[https://openid.net/specs/openid-connect-federation-1\_0-23.html#section-10.4](https://openid.net/specs/openid-connect-federation-1_0-23.html#section-10.4) is potentially ambiguous as to whether the id token signature must be validated or not:
> The RP MUST validate any ID token as defined in Section 3.1.3.7. of [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-federation-1_0-23.html#OpenID.Core) \[[OpenID.Core](https://openid.net/specs/openid-connect-federation-1_0-23.html#OpenID.Core)\]. If the trust relationship between RP and OP was established using OpenID Connect Federation, the key material used for ID Token signature validation MUST be obtained from the OP's metadata the RP obtained as a result of Trust Chain validation as defined in [Section 8](https://openid.net/specs/openid-connect-federation-1_0-23.html#resolving_trust) and combining the metadata policies from the Entity Statements of the Trust Chain as described in [Section 5.1](https://openid.net/specs/openid-connect-federation-1_0-23.html#metadata_policy).
It kind of seems to say you must validate the signature, whereas 3.1.3.7 of OIDC makes validation optional for the client \(“If the ID Token is received via direct communication between the Client and the Token Endpoint \(which it is in this flow\), the TLS server validation MAY be used to validate the issuer in place of checking the token signature.”\).
It should be made clear which is intended. If intended to align with OIDC, I suggest changing “If the trust relationship…” to “If the ID token signature is to be validated and the trust relationship…”.
More information about the Openid-specs-ab
mailing list