- changed title to Messages - 5 underspecified use of signing and encryption
Messages - 5 underspecified use of signing and encryption
"OpenID Connect MAY use JWS/JSW"
Unspecified which messages can be signed/encrypted, and how that is supposed to be reconciled with OAuth2 - where JSON (not JWT/JWS/JWE) shows up only for token responses.
Comments (8)
-
-
- marked as minor
-
assigned issue to
- marked as enhancement
- changed status to open
Before final, put encryption and signing examples.
-
Before final, put encryption and signing examples.
-
- changed status to on hold
-
Account Deleted I disagree with type=enhancement, this issue is in my view major or critical -- no idea how to apply signing/encryption, and how to deal with the possible deviations from OAuth. Normative text is expected.
-
-
assigned issue to
- changed status to open
The request object can be signed. The code can not be signed. A token request can not be signed. The access token is not signed. The id_token is signed. The user_info response can be signed.
All signed objects can also be encrypted.
The spec should be updated to add this information.
-
assigned issue to
-
-
- changed status to resolved
Fix
#199 - Log in to comment