- changed milestone to Final
-
assigned issue to
Michael Jones
Registration Section 2 id_token_signed_response_alg
Issue #867
resolved
Remove with the exception of "none" for valid algs. If a client requests no signature the server should be allowed to do it. For performance reasons a server only supporting the code flow might have clients register for none and avoid the RS256 signing if the clients don't need it.
The server MUST sign if the id_token is issued in the front channel, or the client has not configured itself out of band or through dynamic client registration for a alg of none.
The none parameter needs to also be allowed in discovery.
Comments (2)
-
-
- changed status to resolved
Fixed
#867- Allow ID Tokens to use "alg":"none" when using the Code Flow→ <<cset 8f71a339fd6b>>
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Registration
- Milestone
- Final
- Version
- –
- Votes
- 0
- Watchers
- 0
Per discussions on past calls, we will allow this.