FAPI part 2 - JWE encrypted ID Tokens

Comments (16)

1. 

   Ralph Bragg

   If OPs can generate different ID Tokens from the "detached signature" to the id_token then encryption is less of an issue. If they can't then the id_token's claims will need to be encrypted if they're sent through the front channel.

   Arguably even the "sub" could be PII or sensitive depending on the value used for it.

   • 2018-08-04T17:46:30+00:00
2. 

   Torsten Lodderstedt reporter

   Thanks for the explanation.

   It think this is another good reason to separate signed authorization response and ID token (https://bitbucket.org/openid/fapi/issues/155/support-authorization-and-identity). The signed response does not contain PII (even so it could be encrypted to not expose the code to the browser). The ID token is served via the TLS protected connection from the token endpoint w/o the need to encrypt.

   • 2018-08-04T18:01:38+00:00
3. 

   Dave Tonge

   I think the wording could be tidied up here. I think the intent is that clients should be able to handle encrypted tokens, not that they are required to request them for every interaction.

   • 2018-08-06T07:09:09+00:00
4. 

   Torsten Lodderstedt reporter

   The should be "able to handle" or they "should be able to request"?

   • 2018-08-06T16:37:39+00:00
5. 

   Dave Tonge

   should be able to request

   Thanks

   • 2018-08-06T17:07:47+00:00
6. 

   Torsten Lodderstedt reporter

   make it a should and explain the reason

   • 2018-08-07T14:08:34+00:00
7. 

   Torsten Lodderstedt reporter

   • assigned issue to
     
     Torsten Lodderstedt

   • 2018-08-07T14:09:01+00:00
8. 

   Torsten Lodderstedt reporter

   • assigned issue to
     
     Nat Sakimura

   please review the pull request

   • 2018-08-11T16:55:30+00:00
9. 

   Nat Sakimura

   • changed status to open

   Looked at the pull request #65. It is using "shall" instead of "should". Did we agree to it? From what I see on the ticket, it seems that we wanted it to be "should".

   Note: even if the response contains PII (actually, everything is PII at this point anyway), if it only contains a low-risk PII only, unencrypted ID Token may be OK.

   • 2018-08-14T06:21:07+00:00
10. 

    Ralph Bragg

    Hi, this needs to be a should not a shall. If a pairwise single use identifier is used then there is no PII that leaks. The OB guidance states that if PII is to be conveyed then it’s a shall.

    Tightening this would have significant implications for existing implementations and whilst I’m all for mandating universally more secure tokens the political capital to get the aspsp’s to fall inline isn’t worth it in my opinion.

    Those that want to be id providers/players will opt in to encrypted towns .

    • 2018-08-14T07:57:30+00:00
11. 

    Torsten Lodderstedt reporter

    changed it to should

    • 2018-08-15T08:38:29+00:00
12. 

    Joseph Heenan

    • changed status to closed

    Added explanation of when and why clients shall request encrypted ID Tokens

    closes #159

    → <<cset 801e1616c16c>>

    • 2018-08-28T09:34:28+00:00
13. 

    Nat Sakimura

    • changed status to resolved

    Merged in 159-JWE-encrypted-ID-Tokens (pull request #65) that fixes #159

    added explanation when and why clients shall request encrypted ID Tokens

    Approved-by: Ralph Bragg ralph.bragg@raidiam.com

    → <<cset 4a3784b20cbd>>

    • 2018-08-29T07:53:58+00:00
14. 

    Nat Sakimura

    • changed component to Part 2: Advanced

    • 2022-12-14T15:36:09+00:00
15. 

    Nat Sakimura

    • changed component to FAPI 1 – Part 2: Advanced

    • 2022-12-14T15:36:43+00:00
16. 

    Nat Sakimura

    • changed component to FAPI 1: Advanced

    • 2022-12-14T15:38:53+00:00
17. Log in to comment