[Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?

Torsten Lodderstedt torsten at lodderstedt.net
Sun Nov 9 11:46:20 UTC 2014


Hi Nov,

I don't think there is a need to limit ID token protection in the 
migration spec to asymmetric signatures. HMAC or TLS (for direct 
communication/grant type code) also work.

I therefore created a tracker issue to remove this constraint.

https://bitbucket.org/openid/connect/issue/964/id-token-protection-rules-already-defined

kind regards,
Torsten.

Am 06.11.2014 10:06, schrieb nov matake:
> Section 4 of migration spec says
>
> ==
> If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found,
> then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token with the following claim name
> ==
>
> but I couldn’t find the reason why it must be “asymmetric”.
>
> ps.
> Yahoo! Japan uses HS256 in their Connect implementation, so the requirement might be hard for them to support migration spec.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list