remove long paragraph about OIDC

closes #59
oauth-wg · Dec 17, 2024 · 0188462 · 0188462
1 parent 3d34534
commit 0188462
Showing 1 changed file with 0 additions and 9 deletions.
diff --git a/draft-ietf-oauth-browser-based-apps.md b/draft-ietf-oauth-browser-based-apps.md
@@ -1136,15 +1136,6 @@ using the recommended Authorization Code grant type.
 * If the JavaScript application gets wrapped into a native app, then {{RFC8252}}
   also requires the use of the Authorization Code grant type with PKCE anyway.
 
-In OpenID Connect, the ID Token is sent in a known format (as a JWT), and digitally
-signed. Returning an ID token using the Implicit grant type (`response_type=id_token`) requires the client
-validate the JWT signature, as malicious parties could otherwise craft and supply
-fraudulent ID tokens. Performing OpenID Connect using the Authorization Code grant type provides
-the benefit of the client not needing to verify the JWT signature, as the ID token will
-have been fetched over an HTTPS connection directly from the authorization server's token endpoint. Additionally,
-in many cases an application will request both an ID token and an access token, so it is
-simpler and provides fewer attack vectors to obtain both via the Authorization Code flow.
-
 
 
 Resource Owner Password Grant