- changed status to resolved
Messages 4.2 - ID Token validation rules need to allow behavior specified in Basic
Issue #855
resolved
Currently Messages says that the client must verify the ID Token signature, whereas Basic allows the client to not do so. We agreed on the call to revise Messages to allow the behavior defined in Basic.
Specifically, we will use language like the following:
If the client has received the ID Token over a TLS protected session directly from the token endpoint then validating the ID Token signature is optional".
Comments (1)
-
reporter - Log in to comment
It turns out that Messages already correctly handles this case. It says:
If the "id_token" is received via direct communication between the Client and the Token Endpoint, the TLS server validation MAY be used to validate the issuer in place of checking the token signature.