- changed status to open
-
assigned issue to
General - removal of symmetric signatures for id tokens
I think the spec could benefit from removing support for symmetric signatures and support asymmetric signatures, only. RPs (even public clients) could validate signatures based on the AS's public key. Interop would benefit because of the reduced numbers of algorithms, security would benefit because of the limited applicability of symmetric signatures (two parties only!). Moreover, dual use of client secrets for authentication on the AS (original use case) and creation/validation of digital signatures would put to an end.
Comments (7)
-
-
Account Deleted As brought up in meeting: pass by reference "any signatures as supported by JWS"
-
Make RS256 the default signing alg for id_token re
#571 -
addresses
#571General - removal of symmetric signatures for id tokens -
addresses
#571General - removal of symmetric signatures for id tokens, added public key information for id tokens -
addresses
#571General - removal of symmetric signatures for id tokens, updated examples for request object -
- changed status to resolved
- Log in to comment
Accepted.
Symmetric sigs as specified now does not add any value.
Propose a new binding / sig scheme for symmetric for the use cases that requires.