Retirement of OIDC Hybrid Flow #666
Labels
Breaking change
A change expected to result in a new endpoint version.
Security
Change or question related to the information security profile
Description
As part of the FAPI 1.0 transition, the OpenID Connect Hybrid Flow authentication flow has been deprecated but not officially retired. Authorization Code Flow must be supported. Whilst Data Holder MAY continue to support OIDC Hybrid Flow, this was intended to provide a safe transition of the ecosystem on to Authorization Code Flow. This change proposes the retirement of OIDC Hybrid Flow with a planned future retirement data after which ONLY Authorization Code Flow shall be supported.
Intention and Value of Change
This change simplifies the ongoing support and maintainability of the security properties which Data Holders must support. This further aligns to the FAPI 2.0 Security Profile where OIDC Hybrid Flow is not supported. Specifically section 5.3.1.1 (2) states that Authorisation Servers:
Area Affected
Security Profile -> Authentication Flows
Change Proposed
The following changes are proposed:
Simplify the Baseline Security Provisions to remove reference to OIDC Hybrid Flow
Remove phased obligations and requirements in the Baseline Security Provisions:
Remove the Security Profile -> Authentication Flows -> OIDC Hybrid Flow support
Disallow the use of ID Token Encryption, or alternatively remove their support in Dynamic Client Registration (Registration Request using JWT). Applies to:
id_token_signed_response_alg
id_token_encrypted_response_alg
id_token_encrypted_response_enc
Remove ID Token encryption supported parameters in the OIDD defined in the "Security Profile -> Security Endpoints":
id_token_encryption_alg_values_supported
id_token_encryption_enc_values_supported
id_token_signing_alg_values_supported
Remove "Security Profile -> Client Registration -> ID Token Algorithm Selection Considerations"
Remove support for
response_type
"code id_token" in DCR registration and authorisation requests.Remove the following OIDC Hybrid Flow requirements from "Security Profile -> Tokens"
Remove and/or update associated non-normative examples
Set a retirement date be agreed, for example Y25 # 2: 2025-05-12
The text was updated successfully, but these errors were encountered: