Clearinghouse checking token signature

Question

Clearinghouse checking token signature

Closed this issue 5 years ago · 2 comments

Conformance for Claim Clearinghouses section item 2.i.a.b:
This includes checking the signature of Embedded Tokens that the Claim Clearinghouse may wish to use

This requirement is valid per se but in a weird place. This section defined the checks a claim clearinghouse must do to access tokens, not to embedded tokens.

There is also a wider question if access token validity check (item 2.i.a) is necessary at all before the /userinfo request as the /userinfo will reject invalid access tokens anyway.

davidbernick commented 5 years ago

#26

Answer 1 · 2019-09-26T01:18:23.000Z

I think it's implied that Embedded Tokens can be checked and I think the section on Embedded tokens spells that out. This specific section I'll take out.

At some level we IMPLY throughout the doc that /userinfo is necessary and this section predates the idea that EVERYTHING would be in /userinfo (ie we had this idea that some important claims could be in the JWT).

I also think that checking JWT signatures is "good practice" even if, pragmatically, it's /userinfo that needs to also check.

I made a change as "bernick_mikael_issues 8f309b4"