Basic - Drop the need for signature validation in basic profile
Issue #568
resolved
If the basic client flow is changed to grant type code, integrity and authenticity of the id token is already ensured by TLS.
Because of the direct TLS-protected connection between RP and AS on the tokens endpoint, the RP no longer needs to validate the digital signature of an id token. This is because the authenticity of the issuer is already ensured by TLS server authentication. This would further simplify RP implementations and follow the OAuth 2.0 spirit to avoid signatures if possible. Clearly, signature validation is still needed for all indirect tranmissions of id tokens.
Comments (4)
-
repo owner
-
reporter
(Reply via tor...@lodderstedt.net):
Yes. And since I proposed to change the basic profile to code, this also implies to drop signature validation for this profile.
regards, Torsten.
OpenID Foundation <issues-reply@bitbucket.org> schrieb:
-
-
assigned issue to
John Bradley
- changed status to open
Signing = MUST Verification = SHOULD for Code flow. MUST for implicit flow.
-
assigned issue to
-
- changed status to resolved
Done in checkin 9e14369328a6.
- Log in to comment
I suppose you mean the need for signature validation in code flow.