[Openid-specs-ab] [openid/connect] Basic - Drop the need for signature validation in basic profile (issue #568)

tlodderstedt issues-reply at bitbucket.org
Fri Apr 6 20:52:13 UTC 2012


--- you can reply above this line ---

New issue 568: Basic - Drop the need for signature validation in basic profile
https://bitbucket.org/openid/connect/issue/568/basic-drop-the-need-for-signature

tlodderstedt on Fri, 6 Apr 2012 22:52:13 +0200:

If the basic client flow is changed to grant type code, integrity and authenticity of the id token is already ensured by TLS.

Because of the direct TLS-protected connection between RP and AS on the tokens endpoint, the RP no longer needs to validate the digital signature of an id token. This is because the authenticity of the issuer is already ensured by TLS server authentication. This would further simplify RP implementations and follow the OAuth 2.0 spirit to avoid signatures if possible. Clearly, signature validation is still needed for all indirect tranmissions of id tokens. 


--

This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.


More information about the Openid-specs-ab mailing list