Need some help to understand userinfo_encrypted_response_* values

John Bradley john.bradley at wingaa.com
Mon Jun 12 12:19:22 UTC 2017 

>From the connect registration spec

id_token_encrypted_response_algOPTIONAL. JWE alg algorithm [JWA]
<http://openid.net/specs/openid-connect-registration-1_0.html#JWA> REQUIRED
for encrypting the ID Token issued to this Client. If this is requested,
the response will be signed then encrypted, with the result being a Nested
JWT, as defined in [JWT]
<http://openid.net/specs/openid-connect-registration-1_0.html#JWT>. The
default, if omitted, is that no encryption is performed.
id_token_encrypted_response_encOPTIONAL. JWE enc algorithm [JWA]
<http://openid.net/specs/openid-connect-registration-1_0.html#JWA> REQUIRED
for encrypting the ID Token issued to this Client. If
id_token_encrypted_response_alg is specified, the default for this value is
A128CBC-HS256. When id_token_encrypted_response_enc is included,
id_token_encrypted_response_alg MUST also be provided.
userinfo_signed_response_algOPTIONAL. JWS alg algorithm [JWA]
<http://openid.net/specs/openid-connect-registration-1_0.html#JWA> REQUIRED
for signing UserInfo Responses. If this is specified, the response will be
JWT <http://openid.net/specs/openid-connect-registration-1_0.html#JWT> [JWT]
serialized, and signed using JWS. The default, if omitted, is for the
UserInfo Response to return the Claims as a UTF-8 encoded JSON object using
the application/json content-type.


I have no idea if the IDP you are registering with supports encrypted
user_info responses.  Most will just ignore those parameters.

John B.

On Jun 12, 2017 6:56 AM, "Bhathiya Jayasekara" <tobhathiyaj at gmail.com>
wrote:

Hi all,

I'm trying to receive JWT responses for userinfo requests. As per the
DCR spec I have to send following values in DCR request.

userinfo_encrypted_response_alg
userinfo_encrypted_response_encuserinfo_signed_response_alg

But I don't understand the difference between the first 2 values. Could you
please be kind enough to give me some explanation. Maybe an example would
be great.
Thanks,Bhathiya

_______________________________________________
specs mailing list
specs at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20170612/49ecb48c/attachment.html>

More information about the specs mailing list