Hacker News new | past | comments | ask | show | jobs | submit login

Well, if you're using authorization code flow, trust your TLS certification authorities enough, then yeah, it's probably safe, though you'll be definitely violating the spec: http://openid.net/specs/openid-connect-core-1_0.html#CodeFlo...

But if you go as far as not verifying the ID Token for, what do you need OpenID Connect for? Just use plain old OAuth 2.0.




There are a lot of convenient things to lift out of OpenID Connect, for example:

* The Discovery URL

* Standardisation in the subject name

* The userinfo endpoint




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: