Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clarify the behavior when authorization_signed_response_alg is ommitted, #406

Closed
Sakurann opened this issue Jan 30, 2025 · 2 comments · Fixed by #410
Closed

clarify the behavior when authorization_signed_response_alg is ommitted, #406

Sakurann opened this issue Jan 30, 2025 · 2 comments · Fixed by #410
Assignees
@bc-pi
Labels
has-PR
Milestone
Final 1.0

Comments

@Sakurann
Copy link
Collaborator

JARM spec says 'If unspecified, the default algorithm to use for signing authorization responses is RS256. The algorithm none is not allowed.' and I don't see that override in openid4vp (so if you don't specify it then it's RS256). but openid4vp spec makesauthorization_signed_response_alg optional because signing in JARM in openid4vp is optional. need to make clear that in openid4vp, ifauthorization_signed_response_alg` is ommitted, there is no default value, default is not signign
@Sakurann Sakurann added this to the Final 1.0 milestone Jan 30, 2025
@bc-pi bc-pi self-assigned this Jan 30, 2025
@bc-pi
Copy link
Member

bc-pi commented Jan 30, 2025

This needs to be fixed and I'll do a PR.

@bc-pi bc-pi mentioned this issue Jan 31, 2025
Merged
@bc-pi bc-pi linked a pull request Jan 31, 2025 that will close this issue
clarify when authorization_signed_response_alg is omitted, do not sign #410
Merged
@bc-pi
Copy link
Member

bc-pi commented Feb 2, 2025

I did a PR! See #410

@Sakurann Sakurann added the has-PR label Feb 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bc-pi bc-pi

Labels
has-PR
Projects
None yet
Milestone
Final 1.0
Development

Successfully merging a pull request may close this issue.

clarify when authorization_signed_response_alg is omitted, do not sign openid/OpenID4VP
2 participants
@Sakurann @bc-pi