[Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?
nov at matake.jp
Thu Nov 6 09:06:33 UTC 2014
Section 4 of migration spec says
If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found,
then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token with the following claim name
but I couldn’t find the reason why it must be “asymmetric”.
Yahoo! Japan uses HS256 in their Connect implementation, so the requirement might be hard for them to support migration spec.
More information about the Openid-specs-ab