[Openid-specs-fapi] Issue #522: optional ID Token signature validation for code flow (openid/fapi)
panva
issues-reply at bitbucket.org
Thu Jul 14 14:42:30 UTC 2022
New issue 522: optional ID Token signature validation for code flow
https://bitbucket.org/openid/fapi/issues/522/optional-id-token-signature-validation-for
Filip Skokan:
This issue calls for clarification on inheriting optional `response_type=code` [OIDC](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) behaviour which allows the client to omit verifying the ID Token signature.
> If the ID Token is received via direct communication between the Client and the Token Endpoint \(which it is in this flow\), the TLS server validation MAY be used to validate the issuer in place of checking the token signature.
Both FAPI 2.0 and FAPI 1.0 \(only when using response\_code and JARM\) are in question here.
Having checked FAPI 2.0, 1.0 Baseline and 1.0 Advanced I have not found a statement which would profile client behaviour to require verifying these signatures.
Is the above quoted OIDC behaviour intended to be allowed in FAPI? If so, the conformance suite is not allowing such behaviour. If not, we should probably add language to FAPI 2.0 and there’s probably very little we can do with the 1.0 spec.
More information about the Openid-specs-fapi
mailing list