search

ConsumerDataStandardsAustralia / infosec

Work space for the consumer data right information security profile development in Australia
MIT License
16 stars 5 forks source link

Is ID token encryption mandatory? #51

Closed ajmcmiddlin closed 5 years ago

ajmcmiddlin commented 5 years ago

Currently §7.1 of this spec says that

In accordance with [FAPI-RW], ID Tokens must be signed and encrypted when returned to a Data Recipient from both the Authorisation Endpoint and Token Endpoint.

However, it sems like this is only a recommendation in FAPI-RW given §5.2.2.9 of FAPI-RW says

should support signed and encrypted ID Token;

I think the wording in §7.1 should be changed to remove any implication that encryption is mandated by FAPI-RW. Also, if ID token encryption is mandatory in this spec, then I believe id_token_encrypted_response_alg and id_token_encrypted_response_enc should be added as mandatory fields in a registration request (see §13.9.1).

lukepopp commented 5 years ago

Encryption is mandatory under this profile. This was a request from the banking community.