- changed status to open
Inconsistency around encrypted ID Tokens
Issue #112
resolved
5.2.2 Authorization Server has "should support signed and encrypted ID Token" while 5.2.4 Confidential Client has "shall require both JWS signed and JWE encrypted ID Tokens". The "should" in the first statement seems inconsistent with the "shall" in the second statement.
It's not clear to me that encrypted ID Tokens are necessary so maybe both statements could use "should" or even "may"? Regardless the inconsistency should probably be resolved (or explain why it's not actually inconsistent).
Comments (6)
-
-
reporter
I'd think making both a 'should' is OK.
-
- changed status to resolved
Fixed
#112→ <<cset 4c52d22d21d7>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
Good point. I spotted the same actually earlier this week after reading the blog by Takahiko and was wondering if it is OK to make both 'should'. (Definitely not 'may', though. Alternatively, logically it is possible to make it 'shall" for the server and 'should' for the client.)