1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. OBUK
  4. Issues

Need tighter explanation of preferred response types

Issue #12 closed
Pamela Dingle created an issue

The preferred response type for ASPSPs to implement is in fact code id_token not just code, because of the extra mitigation that occurs when id_token can be used as a detached signature for the authorization code. This preference is not clearly communicated in the spec.

Please update spec to show that code id_token is a SHOULD and that other supported options are MAY.

Comments (1)

  1. Pamela Dingle reporter

    security profile: Tighten up explanation of allowed response types

    Due to the extra mitigation that occurs when id_token can be used as a detached signature for the authorization code 'code id_token' is the preferred response type.

    code is allowed as an interim measure as per email discussion with Ralph/Pam/Dave.

    closes #12

    → <<cset 3a10419180fc>>

  2. Log in to comment
Assignee
Type
bug
Priority
minor
Status
closed
Component
Security Profile
Version
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!