- changed milestone to Implementer's Draft
-
assigned issue to
Messages/Registration preclude a client who wants encrypted content but doesn't sign?
Issue #820
resolved
Wouldn't it be reasonable to think that some clients would want encrypted id tokens sent to them but would not sign requests? I'd think so. But the wording for jwks_uri for clients at http://openid.net/specs/openid-connect-messages-1_0-16.html#sigenc.key would seem to preclude that (for asymmetric anyway).
Same/similar text is in http://openid.net/specs/openid-connect-registration-1_0.html#client-metadata for jwks_uri
Comments (2)
-
-
- changed status to resolved
Fixed
#820- Removed assumption that Clients that want encrypted responses also sign requests.→ <<cset a5daeae04cbb>>
- Log in to comment
We will relax the language to not require the client to have a signing key present.