[Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?

Torsten Lodderstedt torsten at lodderstedt.net
Sun Nov 9 11:46:20 UTC 2014

Hi Nov,

I don't think there is a need to limit ID token protection in the 
migration spec to asymmetric signatures. HMAC or TLS (for direct 
communication/grant type code) also work.

I therefore created a tracker issue to remove this constraint.


kind regards,

Am 06.11.2014 10:06, schrieb nov matake:
> Section 4 of migration spec says
> ==
> If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found,
> then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token with the following claim name
> ==
> but I couldn’t find the reason why it must be “asymmetric”.
> ps.
> Yahoo! Japan uses HS256 in their Connect implementation, so the requirement might be hard for them to support migration spec.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list