[Openid-specs-ab] Issue #964: ID Token protection rules already defined in Core (openid/connect)

Torsten Lodderstedt issues-reply at bitbucket.org
Sun Nov 9 11:42:18 UTC 2014


New issue 964: ID Token protection rules already defined in Core
https://bitbucket.org/openid/connect/issue/964/id-token-protection-rules-already-defined

Torsten Lodderstedt:

§4 specifies that the OP must asymmetrically sign ID tokens carrying OpenID 2.0 identifiers.

"... then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token ..."

OpenID Core already defines different methods to protect the authenticity and integrity of ID Tokens (TLS on token endpoint, HMAC, digital signatures). RPs and OP can choose what fits there requirements and use cases the best.

There is no need and benefit to prescribe a certain protection method in the migration spec.I therefore propose to remove this constraint.

Proposed text change:
CURRENT
"If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found, then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token with the following claim name:"

NEW
"If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found, then the OP MUST include the OpenID 2.0 Identifier in the ID Token with the following claim name:"

Additionally, the security considerations section could point out the importance to prevent modifications of this ID Token claim.




More information about the Openid-specs-ab mailing list