[Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?
Michael.Jones at microsoft.com
Sun Nov 9 19:44:02 UTC 2014
I agree with you that the Migration spec shouldn't impose additional signing requirements on the ID Token. Nov Matake raised that for the symmetric signature case in a separate message. We should address this in the next version of the Migration spec.
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Sunday, November 09, 2014 1:46 AM
To: nov matake; openid-specs-ab at lists.openid.net openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] why migration spec require "asymmetrically signed" id_token?
I don't think there is a need to limit ID token protection in the migration spec to asymmetric signatures. HMAC or TLS (for direct communication/grant type code) also work.
I therefore created a tracker issue to remove this constraint.
Am 06.11.2014 10:06, schrieb nov matake:
> Section 4 of migration spec says
> If the verification of the Relying Party was successful and an
> associated OpenID 2.0 Identifier for the user is found, then the OP
> MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID
> Token with the following claim name ==
> but I couldn't find the reason why it must be "asymmetric".
> Yahoo! Japan uses HS256 in their Connect implementation, so the requirement might be hard for them to support migration spec.
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
More information about the Openid-specs-ab