validation of 'alg' in backchannel logout token

https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation says nothing about ‘alg’ and hence I believe clients are expected to follow OIDC id token validation, which says:

The alg value SHOULD be the default of RS256 or the algorithm sent by the Client in the id_token_signed_response_alg parameter during Registration.”

the ‘should’ implying it is recommended but not required behaviour to check ‘alg’.

The certificate suite contains a test “rp-backchannel-rpinitlogout-lt-wrong-alg” which requires the client to reject a logout token which is signed with [for a static client] an alg other than RS256, implying this is required behaviour and not a ‘should’.

The logout spec should probably clarify how ‘alg’ must be verified, or we should change the certification test to only ‘warn’ rather than ‘fail’ when this test fails.

(This was raised with the certification team by Raymond Field at Mvine)

Comments (4)