Originally submitted by josephheenan (Joseph Heenan) on 2026-02-25
https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata says, for request_object_signing_alg:
"The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used."
I'm struggling to figure out the "MAY". I think it means the RP needs to use an alg that it supports, and that the OP supports. But I'm struggling because I think that would make more sense if it said MUST:
"The default, if omitted, is that any algorithm supported by the OP and the RP MUST be used."
After talking to MikeJ he did say the intended reading is a 'MUST', i.e. do what will actually work.
We might want to tighten up the wording in an errata. It many of the default DCR cases it doesn't matter too much, but when using Federation automatic registration it matters more (this case up because the certification tests for federation don't include request_object_signing_alg when testing automatic registration).
Bitbucket status: new
Bitbucket origin: issue 2188
https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata says, for
request_object_signing_alg:"The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used."
I'm struggling to figure out the "MAY". I think it means the RP needs to use an alg that it supports, and that the OP supports. But I'm struggling because I think that would make more sense if it said MUST:
"The default, if omitted, is that any algorithm supported by the OP and the RP MUST be used."
After talking to MikeJ he did say the intended reading is a 'MUST', i.e. do what will actually work.
We might want to tighten up the wording in an errata. It many of the default DCR cases it doesn't matter too much, but when using Federation automatic registration it matters more (this case up because the certification tests for federation don't include
request_object_signing_algwhen testing automatic registration).Bitbucket status: new
Bitbucket origin: issue 2188