- changed milestone to Final
-
assigned issue to
Registration Section 2 id_token_signed_response_alg
Issue #867
resolved
Remove with the exception of "none" for valid algs. If a client requests no signature the server should be allowed to do it. For performance reasons a server only supporting the code flow might have clients register for none and avoid the RS256 signing if the clients don't need it.
The server MUST sign if the id_token is issued in the front channel, or the client has not configured itself out of band or through dynamic client registration for a alg of none.
The none parameter needs to also be allowed in discovery.
Comments (2)
-
-
- changed status to resolved
Fixed
#867- Allow ID Tokens to use "alg":"none" when using the Code Flow→ <<cset 8f71a339fd6b>>
- Log in to comment
Per discussions on past calls, we will allow this.