Messages 5.3 Check ID Request Verification
Issue #380
resolved
The Authorization Server MUST check that the d_token parameter is present and that if it is signed, it MUST be verify the signature according to Section 5 of
Our default signature alg is HS256 so the endpoint can't be stateless. It needs to lookup the client secret to validate the token before responding. The Check ID endpoint not properly checking would be a major Fail. I will add some warning text.
The alternatives are:
1 making asymmetric the default.
2 eliminating Check ID
3 Live with state full.
Comments (3)
-
reporter
-
reporter
- marked as minor
-
reporter
-
assigned issue to
John Bradley
- changed status to resolved
Clarifying text on verification of symmetric signatures closes ticket.
-
assigned issue to
- Log in to comment
re
#380Messages - 5.3 Add text about how to validate symmetric sig.→ 44138519a1f5