Messages 2.1.2.1 - Clarify that "none" is not an acceptable signature algorithm

Comments (5)

1. 

   Brian Campbell

   "none" seems like a perfectly reasonable option when the ID Token is received over TLS directly from the Token Endpoint at the AS.

   • 2013-06-20T20:52:58+00:00
2. 

   Michael Jones reporter

   Messages currently requires Clients to validate the ID Token - saying "Clients MUST validate the ID Token per Section 4.2". John points out that we could relax this to allow clients to not check the signature in the same cases when Basic doesn't.

   We would still need to require OPs to sign the ID token to allow Clients to check the signature that want to. Not doing so would currently be a breaking change to some clients.

   • 2013-06-24T23:31:00+00:00
3. 

   Brian Campbell

   I disagree.

   How would that be a breaking change? If a client is currently configured/registered for RS/EC/HS signature, how would allowing none as a different option be a breaking change?

   Our implementation currently does allow none as an option (it will only send such an ID Token via the back-channel). Which is, I'll argue, a perfectly reasonable interpretation of what's been written. So explicitly disallowing it is a breaking change for us.

   • 2013-06-25T14:58:04+00:00
4. 

   Michael Jones reporter

   • assigned issue to
     
     Michael Jones

   To be consistent with Registration, and JWS/JWT, we will apply this correction.

   If Brian wants to propose allowing non-integrity-protected ID Tokens, this could be filed as a separate issue for Final.

   • 2013-06-27T14:31:31+00:00
5. 

   Michael Jones reporter

   • changed status to resolved

   Fixed #851 - Clarified that "none" is not an acceptable ID Token signature algorithm.

   → <<cset fa6d2e9a79b6>>

   • 2013-06-28T00:47:35+00:00
6. Log in to comment