-
assigned issue to
Registration - 2.1 possibly missing require_encrypted_request_object parameter
Issue #507
invalid
The Discovery spec can discover the supported signature and encryption algorithms of the request object for the Authorization server, but the Registration spec has not have a corresponding parameter to register the encryption algorithm preferences for the request object like the userinfo and id token.
Comments (2)
-
-
- changed status to invalid
If the server is not accepting unsigned requests, then the client is free to encrypt or not encrypt under it's control. Adding require encrypted request object won't add any security.
Invalid
- Log in to comment