Prohibition of alg=none not quite enough
Issue #510
resolved
Comments
Since we are trying to integrity protect the authorization response, the use of alg=none needs to be prohibited. Although the first bullet in Clause 3 Client Metadata states
The algorithm none is not allowed.
it is not using normative language and is too weak.
Also, it would be a good idea to include the algorithm check in 2.4 Processing rules so that conformance test specifically checks for it.
Proposal
Amend the sentence above to read as:
The algorithm none (“alg”:”none”) MUST NOT be used.
Also, insert the following above 2.4-2 stating that if alg=none then the message MUST be rejected.
Comments (5)
-
reporter -
+1
-
reporter - changed status to open
Accepted.
Brian will make a PR.
-
-
- changed status to resolved
- Log in to comment
Brian Campbel wrote in https://lists.openid.net/pipermail/openid-specs-fapi/2022-July/002637.html