Basic - Drop the need for signature validation in basic profile

Issue #568 resolved
Torsten Lodderstedt created an issue

If the basic client flow is changed to grant type code, integrity and authenticity of the id token is already ensured by TLS.

Because of the direct TLS-protected connection between RP and AS on the tokens endpoint, the RP no longer needs to validate the digital signature of an id token. This is because the authenticity of the issuer is already ensured by TLS server authentication. This would further simplify RP implementations and follow the OAuth 2.0 spirit to avoid signatures if possible. Clearly, signature validation is still needed for all indirect tranmissions of id tokens.

Comments (4)

  1. Torsten Lodderstedt reporter

    (Reply via

    Yes. And since I proposed to change the basic profile to code, this also implies to drop signature validation for this profile.

    regards, Torsten.

    OpenID Foundation <> schrieb:

  2. Log in to comment