Messages - 5.1 OpenID Request Object verification.
Issue #385
resolved
The current draft is written as {{{ If the request contains a OpenID Request Object, the Authorization Server MUST validate the signature according to Section 4.3.2 of OpenID Connect Standard 1.0 [OpenID.Standard]. }}}
Perhaps it should be : {{{ If the request contains a signed OpenID Request Object, the Authorization Server MUST validate the signature according to Section 5 of JWS [JWS]. }}} ???
Comments (2)
-
-
- changed status to resolved
We reached the conclusion that the validation rules in Standard, such as 2.3.2. (Authorization Server Validates Request Object) and 5.2.1 (Response Verification) should be moved to Messages. There should be no references from Messages to Standard.
- Log in to comment
There is more to validating the token than is in JWS. that is just the programatic part.
We have to say what fields need to be com aired and what they need to contain. Only part of that is JWS.