Clarifying Message Signing for UserInfo requests/responses in FAPI 2.0
Issue #723
new
If the userinfo requests/responses are considered as protected resource, I think they should be signed in FAPI 2 Message Signing. If that’s the case, why does 5.7. HTTP message signing in the current spec not include requirements for authorization servers? The userinfo endpoint is generally considered as an authorization server’s endpoint but the section 5.7 in the current spec only outlines requirements for “clients” and “resource servers”. Or perhaps the “resource servers” part should be changed to “protected resource endpoints” or something like that.
Comments (4)
-
-
- changed status to new
-
@Brian Campbell That makes sense. Unless an ecosystem approaches us with a compelling reason to prefer HTTP message signing over the signing mechanism defined in OIDC Core, it seems we don’t need to require HTTP message signing at the userinfo endpoint.
-
reporter
Thank you, Brian. I agree with your point.
- Log in to comment
IMHO FAPI 2.0, as an API security profile, should be as agnostic to OIDC as possible so shouldn’t say anything about the userinfo endpoint.
Also, layering HTTP message signatures on the userinfo endpoint seems a wholly unneeded complication.
Any perceived need for non-repudiation or other extra security there should probably just be covered by the exsiting signing and encryption options https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse