[Openid-specs-fapi] Working Group Last Call - JARM
Brian Campbell
bcampbell at pingidentity.com
Sun Jul 3 23:08:57 UTC 2022
On Sun, Jul 3, 2022 at 8:57 AM Torsten Lodderstedt via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:
>
> Am 02.07.2022 um 09:54 schrieb Nat Sakimura via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net>:
>
> * JARM appears to only define behavior for response type code and token,
> but the treatment of ID Token comes up later saying it needs to be
> encrypted. Perhaps the reference can be removed.
>
> That text makes encryption a MUST, which goes far beyond core and even
> FAPI. I agree with your proposal to remove it.
>
The text is, 'Note: "query.jwt" MUST NOT be used in conjunction with
response types that contain "token" or "id_token" unless the response JWT
is encrypted to prevent token leakage in the URL.' which is saying you
can't use query string encoding for response types that contain "token" or
"id_token" *unless* the whole JARM response is encrypted. Core and FAPI
outright prohibit response types that contain "token" or "id_token" being
used with query string encoding. So this is not more restrictive. It's an
allowance for query string encoding when JARM encryption is used.
The special case may not be worth having. And preventing leakage with
encryption is subtle because the whole response can still potentially leak
and that can be problematic.
So it might be worthwhile to remove that bit but for other reasons as the
reasons stated aren't accurate.
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20220703/7dc9324d/attachment-0001.html>
More information about the Openid-specs-fapi
mailing list