[Openid-specs-ab] id_token_signed_response_alg=none and response_type=id_token

Nat Sakimura sakimura at gmail.com
Sat Oct 20 06:42:19 UTC 2012


Good point. It should be an error condition.

Or, perhaps we may require id_token to be always integrity protected.

=nat via iPhone

Oct 19, 2012 22:16、Brian Campbell <bcampbell at pingidentity.com> のメッセージ:

> What should happen when a client registers with id_token_signed_response_alg=none and then makes an authorization request with response_type=id_token or any response type that would pass the id token though the front channel?
>
> This seems like it'd be an error condition (invalid_request maybe?) but I didn't see anything about it in the specs (please correct me, if I'm wrong).
>
> Is there some case where it'd be ok to pass a non integrity protected id token though the front channel?
> Do the specs need to say something about this? Or is it left up to implementation deployment?
> Am I missing something here?


More information about the Openid-specs-ab mailing list