- changed status to open
ID Token protection rules already defined in Core
§4 specifies that the OP must asymmetrically sign ID tokens carrying OpenID 2.0 identifiers.
"... then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token ..."
OpenID Core already defines different methods to protect the authenticity and integrity of ID Tokens (TLS on token endpoint, HMAC, digital signatures). RPs and OP can choose what fits there requirements and use cases the best.
There is no need and benefit to prescribe a certain protection method in the migration spec.I therefore propose to remove this constraint.
Proposed text change: CURRENT "If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found, then the OP MUST include the OpenID 2.0 Identifier in the asymmetrically signed ID Token with the following claim name:"
NEW "If the verification of the Relying Party was successful and an associated OpenID 2.0 Identifier for the user is found, then the OP MUST include the OpenID 2.0 Identifier in the ID Token with the following claim name:"
Additionally, the security considerations section could point out the importance to prevent modifications of this ID Token claim.
Comments (2)
-
-
- changed status to resolved
fixes
#964- Migration - ID Token protection rules already defined in Core→ <<cset 6af87324da8d>>
- Log in to comment
Agreed, we should make the change, that was the intent.