id_token signature verificartion
What did you do?
We run the FAPI2 connect_id conformance test with the RP implementation that accepts any signature (simply return true for any token) and all tests succeed.
What did you expect would happen?
Description:
Existing tests in the conformance test do not cover a situation in which RP validates the parameters in the id_token header but skips the signature validation (simply accepting all signatures). Happy path does not catch this case because the id_token should be accepted, and failure scenarios fail before the signature check.
Proposed test:
Create a failure scenario that creates id_token properly (kid, alg, nonce ....) but is signed with a different key. RP should fail with signature verification error.
Note: This might be a valid test for other profiles.
| Spec ref | Test plan | Variant | Tested Party | Profile | Description | Error result |
|---|---|---|---|---|---|---|
| FAPI2-Message-Signing-ID1: Relying Party (client) test | Error path | RP | connectid_au | Add a test scenario that creates id_token properly (kid, alg, nonce ....) but is signed with a different key. | SUCCESS |
What did happen?
N/A
Please reference and quote any relevant OAuth2 / OpenID Connect / FAPI specification clauses that support your expectations
N/A