Issue #199 resolved

Messages - 5 underspecified use of signing and encryption

jbufu
created an issue

"OpenID Connect MAY use JWS/JSW"

Unspecified which messages can be signed/encrypted, and how that is supposed to be reconciled with OAuth2 - where JSON (not JWT/JWS/JWE) shows up only for token responses.

Comments (8)

  1. jbufu reporter

    I disagree with type=enhancement, this issue is in my view major or critical -- no idea how to apply signing/encryption, and how to deal with the possible deviations from OAuth. Normative text is expected.

  2. Michael Jones

    The request object can be signed. The code can not be signed. A token request can not be signed. The access token is not signed. The id_token is signed. The user_info response can be signed.

    All signed objects can also be encrypted.

    The spec should be updated to add this information.

  3. Log in to comment