[Openid-specs-fapi] Issue #510: Prohibition of alg=none not quite enough (openid/fapi)
Nat
issues-reply at bitbucket.org
Mon Jul 4 14:20:08 UTC 2022
New issue 510: Prohibition of alg=none not quite enough
https://bitbucket.org/openid/fapi/issues/510/prohibition-of-alg-none-not-quite-enough
Nat Sakimura:
# Comments
Since we are trying to integrity protect the authorization response, the use of alg=none needs to be prohibited. Although the first bullet in Clause **3 Client Metadata** states
> The algorithm none is not allowed.
it is not using normative language and is too weak.
Also, it would be a good idea to include the algorithm check in 2.4 Processing rules so that conformance test specifically checks for it.
# Proposal
Amend the sentence above to read as:
> The algorithm none \(“alg”:”none”\) MUST NOT be used.
Also, insert the following above 2.4-2 stating that if alg=none then the message MUST be rejected.
More information about the Openid-specs-fapi
mailing list