[Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?

Mike Jones Michael.Jones at microsoft.com
Sun Nov 9 19:42:54 UTC 2014

I agree that this should not require a particular signature type.  I believe that this is closely related to bug https://bitbucket.org/openid/connect/issue/964/id-token-protection-rules-already-defined, which Torsten filed.

We should address this in the next version of the migration spec.

				-- Mike

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of nov matake
Sent: Wednesday, November 05, 2014 11:07 PM
To: openid-specs-ab at lists.openid.net openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?

Section 4 of migration spec says

If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found, then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token with the following claim name ==

but I couldn't find the reason why it must be "asymmetric".

Yahoo! Japan uses HS256 in their Connect implementation, so the requirement might be hard for them to support migration spec.
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

More information about the Openid-specs-ab mailing list