[Openid-specs-fapi] Issue #659: No normative statement on id_token encryption (openid/fapi)

josephheenan issues-reply at bitbucket.org
Wed Jan 10 02:39:49 UTC 2024 

New issue 659: No normative statement on id_token encryption
https://bitbucket.org/openid/fapi/issues/659/no-normative-statement-on-id_token

Joseph Heenan:

The FAPI2 comparison table in the spec \(see screenshot & red circle\) currently says “No encryption and no ID Tokens in the front channel”.

However I cannot find normative text in the specification that says encryption must not be used for id\_tokens, so I think encryption is permitted.

This is a potential source of interoperability problems. In particular I believe the FAPI2 conformance tests allow OPs to return encrypted id tokens, but do not test that clients can handle encrypted it tokens.

![](https://bitbucket.org/repo/K7gLBb/images/1200540992-Screenshot%202024-01-10%20at%2011.36.12.png)
‌

More information about the Openid-specs-fapi mailing list