1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Editorial: Section 5.2.2.2.1. Duplicate Clause?

Issue #322 resolved
Ralph Bragg created an issue

Are both statements required in this sentence. I’ve read both of them backwards and forwards trying to see how they could be interpreted differently.

  1. if returning any sensitive personally identifiable information (PII) in the ID Token in the authorization response, should sign and encrypt the ID Token;
  2. if not encrypting the ID Token, should not return sensitive personally identifiable information (PII) in the ID Token in the authorization response

Comments (10)

  1. Joseph Heenan

    I think because they’re “should” rather than must they have slightly different meanings, but the points they’re making definitely overlap. The second one more strongly says “if you’re not going to follow the recommendation to encrypt, you should at least reduce the number of claims returned from the Authorization Endpoint”.

  2. Brian Campbell

    I’d suggest making it only about encryption. i.e., “if PII in ID Token in authz response, should/shall encrypt”. A statement like “if returning any sensitive personally identifiable information (PII) in the ID Token in the authorization response, should sign and encrypt the ID Token” could be read as not needing the signature if there’s no PII. But the signature is needed for other reasons. And required by other parts of FAPI and OIDC.

  4. Ralph Bragg reporter

    if PII in ID Token in authz response, shall encrypt gets my vote

    if returning any sensitive personally identifiable information (PII) in the ID Token in the authorization response, shall encrypt the ID Token

    I don’t think restating the semantics / requirements of an id_token is necessary.

  11. Log in to comment
Assignee
Type
task
Priority
trivial
Status
resolved
Component
FAPI 1: Advanced
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!