You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 24, 2020. It is now read-only.
ID Tokens MUST be signed using JWS [JWS] and optionally both signed and then encrypted using JWS [JWS] and JWE [JWE] respectively
In SerializeIdentityTokenAsync method of OpenIdConnectServerHandler, the signing is optional for authorization code grant. I thought it was only the signature validation by the client that is optional.
The text was updated successfully, but these errors were encountered:
Yep, you're right. But that's kinda a degraded a mode, that allows using ASOS and the basic code code flow without having to register signing credentials, that won't be used by the client application to validate the identity token anyway.
It won't be a thing in OpenIddict 3.0, where you'll have to register an asymmetric signing key (with a check made at startup).
In https://openid.net/specs/openid-connect-core-1_0.html#IDToken it says:
In SerializeIdentityTokenAsync method of OpenIdConnectServerHandler, the signing is optional for authorization code grant. I thought it was only the signature validation by the client that is optional.
The text was updated successfully, but these errors were encountered: