Certification: remove requirement for RP to support unsigned jwt
Following on from the discussion last year ( http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20200810/007880.html ) about removing the required for OPs to implement unsigned jwts, the certification team would appreciate feedback from the working group on a request to remove a similar requirement on RPs:
https://gitlab.com/openid/conformance-suite/-/issues/878
Comments (6)
-
-
- changed status to open
-
This change would be appreciated. We are currently affected by this. Thanks.
-
We are also looking forward to have this fix in place, do you have an ETA? @Nat Sakimura @mbj
-
reporter Relevant WG call minutes: http://lists.openid.net/pipermail/openid-specs-ab/2021-April/008136.html
We’ve just rolled out a new release to production that should allow this particular behaviour, https://gitlab.com/openid/conformance-suite/-/tags/release-v4.1.10
We don’t have a system setup like this so we can’t 100% confirm, please rerun the test as soon as you can to check. The expected behaviour would be that the test ends with a warning due to non-support for unsigned id tokens (warnings are permitted for certification).
(If you see an issue please send certification@oidf.org the url for the log-detail page that shows the failure.)
I believe this ticket can now be closed.
-
- changed status to resolved
Resolved, per @josephheenan 's comment.
- Log in to comment
To be consistent, we should probably allow RPs to pass with only a warning if they don’t support unsigned ID Tokens. This position was supported on the 5-Apr-21 working group call.