Messages - 2.1.1 Last Paragraph - id_token

Comments (4)

1. 

   John Bradley

   Perhaps

   id_token OPTIONAL. An ID Token passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent. The value is a JWS encoded ID token as signed by the issuer, the JWS may be JWE encrypted by the public key of the issuer for additional confidentiality. If the id_token received by the RP was encrypted, the Client MUST decrypt the signed id_token (JWS).

   The token could be symmetrically encrypted so I changed it to always decrypt, and send the JWE as signed by the issuer, allowing it to be encrypted as a JWE with the public key of the issuer independent of it having been received as a JWE.

   I think that is the correct thing.

   • 2012-09-12T15:37:32+00:00
2. 

   Michael Jones

   If sent encrypted to the OP, it will need to reencrypted to the OP's public key. Whether to do so is up to the client.

   • 2012-09-13T14:46:21+00:00
3. 

   Nat Sakimura reporter

   New Proposal based on the feedback above:

   id_token
   OPTIONAL. An ID Token passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent. The value is a JWS encoded ID token as signed by the issuer, the JWS may be JWE encrypted by the public key of the issuer for additional confidentiality. If the id_token received by the RP was encrypted, the Client MUST decrypt the signed id_token (JWS). The Client MAY re-encrypt using the key that the server is capable of decrypting. 
   

   • 2012-09-20T22:55:11+00:00
4. 

   Nat Sakimura reporter

   • changed status to resolved

   Fixed #651 - Messages: id_token in the request tightened up.

   → 32ac6a72fa79

   • 2012-09-24T15:22:48+00:00
5. Log in to comment