[Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?

nov matake nov at matake.jp
Thu Nov 6 09:06:33 UTC 2014

Section 4 of migration spec says

If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found,
then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token with the following claim name

but I couldn’t find the reason why it must be “asymmetric”.

Yahoo! Japan uses HS256 in their Connect implementation, so the requirement might be hard for them to support migration spec.

More information about the Openid-specs-ab mailing list