[Openid-specs-fapi] Issue #277: FAPI-RW: Is disallowing signed id_tokens allowed? (i.e. always used signed+encrypted) (openid/fapi)

josephheenan issues-reply at bitbucket.org
Wed Jan 22 00:15:52 UTC 2020


New issue 277: FAPI-RW: Is disallowing signed id_tokens allowed? (i.e. always used signed+encrypted)
https://bitbucket.org/openid/fapi/issues/277/fapi-rw-is-disallowing-signed-id_tokens

Joseph Heenan:

[https://bitbucket.org/openid/fapi/src/master/Financial\_API\_WD\_002.md#markdown-header-5221-id-token-as-detached-signature](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md#markdown-header-5221-id-token-as-detached-signature) reads:

> shall support signed ID Tokens;

> should support signed and encrypted ID Tokens;

  
I’m not sure whether to read this as “must support either JWS or JWE id\_tokens”, or if it’s “must support JWS and may support JWE”.  
  
i.e. can authorization servers opt to always use encryption?

‌

Naively I can’t see any reason to rule out going all-in on encryption, unless it’s for interoperability reasons. \(and if it is for interoperability, it might be worth adding a note to that effect.\)

‌




More information about the Openid-specs-fapi mailing list