query over userinfo_signing_alg_values_supported & aggregated claims
The certification team have had a query over userinfo_signing_alg_values_supported - in particular whether when using aggregated claims the signing alg should be in userinfo_signing_alg_values_supported.
There is currently a test that returns an alg: none
aggregated claim from the userinfo endpoint, but does not have “none” in userinfo_signing_alg_values_supported - https://gitlab.com/openid/conformance-suite/-/issues/1259
Any feedback from the working group about whether the current test is okay or not would be appreciated please.
Comments (2)
-
-
reporter Thanks Paul!
I guess the other angle is that we have previously changed this so that participants don’t have to support the
none
alg as per https://gitlab.com/openid/conformance-suite/-/issues/878 etc. So updating the test to use a signed object instead is a possibility if the WG want to go in that direction. - Log in to comment
This is my issue. I dug into it a little bit more, and it looks like the recent errata have some updates here:
says#1066However, this still isn’t clear about what the client should do with a
none
signed claim. In the absence of something explicit saying thatnone
is acceptable, it would seem to be more secure to disallow it (and to update the certification test). Or perhaps as in#1117, the client should ignore the claims with thenone
signature?