In accordance with [FAPI-RW], ID Tokens must be signed and encrypted when returned to a Data Recipient from both the Authorisation Endpoint and Token Endpoint.
However, it sems like this is only a recommendation in FAPI-RW given §5.2.2.9 of FAPI-RW says
should support signed and encrypted ID Token;
I think the wording in §7.1 should be changed to remove any implication that encryption is mandated by FAPI-RW. Also, if ID token encryption is mandatory in this spec, then I believe id_token_encrypted_response_alg and id_token_encrypted_response_enc should be added as mandatory fields in a registration request (see §13.9.1).
Currently §7.1 of this spec says that
However, it sems like this is only a recommendation in FAPI-RW given §5.2.2.9 of FAPI-RW says
I think the wording in §7.1 should be changed to remove any implication that encryption is mandated by FAPI-RW. Also, if ID token encryption is mandatory in this spec, then I believe
id_token_encrypted_response_alg
andid_token_encrypted_response_enc
should be added as mandatory fields in a registration request (see §13.9.1).