Make ID Token signature mandatory

[danieljee]

In https://openid.net/specs/openid-connect-core-1_0.html#IDToken it says:

ID Tokens MUST be signed using JWS [JWS] and optionally both signed and then encrypted using JWS [JWS] and JWE [JWE] respectively

In SerializeIdentityTokenAsync method of OpenIdConnectServerHandler, the signing is optional for authorization code grant. I thought it was only the signature validation by the client that is optional.

[kevinchalet]

Yep, you're right. But that's kinda a degraded a mode, that allows using ASOS and the basic code code flow without having to register signing credentials, that won't be used by the client application to validate the identity token anyway.

It won't be a thing in OpenIddict 3.0, where you'll have to register an asymmetric signing key (with a check made at startup).

[danieljee]

Okay thanks for the explanation