[Openid-specs-fapi] Issue #277: FAPI-RW: Is disallowing signed id_tokens allowed? (i.e. always used signed+encrypted) (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Wed Jan 22 00:15:52 UTC 2020
New issue 277: FAPI-RW: Is disallowing signed id_tokens allowed? (i.e. always used signed+encrypted)
https://bitbucket.org/openid/fapi/issues/277/fapi-rw-is-disallowing-signed-id_tokens
Joseph Heenan:
[https://bitbucket.org/openid/fapi/src/master/Financial\_API\_WD\_002.md#markdown-header-5221-id-token-as-detached-signature](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md#markdown-header-5221-id-token-as-detached-signature) reads:
> shall support signed ID Tokens;
> should support signed and encrypted ID Tokens;
I’m not sure whether to read this as “must support either JWS or JWE id\_tokens”, or if it’s “must support JWS and may support JWE”.
i.e. can authorization servers opt to always use encryption?
Naively I can’t see any reason to rule out going all-in on encryption, unless it’s for interoperability reasons. \(and if it is for interoperability, it might be worth adding a note to that effect.\)
More information about the Openid-specs-fapi
mailing list