[Openid-specs-fapi] Issue #51: Message source authentication failure - (openid/fapi)

Nat Sakimura nat at sakimura.org
Thu Dec 8 14:08:21 UTC 2016

Agreed that wording can be improved. As to the correctness is concerned, 
it is. Even if we do TLS mutual authentication, it only applies to the 
Token Request and the Authorization Request is not source authenticated 
as it goes through the browser redirect. Late binding of authentication 
does not work here as it does not protect against injection attacks etc.

Nat Sakimura
Chairman, OpenID Foundation

On 2016-12-08 22:38, Dave Tonge via Openid-specs-fapi wrote:
> New issue 51: Message source authentication failure -
> https://bitbucket.org/openid/fapi/issues/51/message-source-authentication-failure
> Dave Tonge:
> https://bitbucket.org/openid/fapi/annotate/d4edc14c0b76155c97623edb521bfdc56afd64b7/Financial_API_WD_001.md?at=master&fileviewer=file-view-default#Financial_API_WD_001.md-297
> I think the wording of this paragraph could be improved. Also is this
> strictly correct? We recommend TLS mutual authentication which would
> allow authentication of part of the authorization flow?
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list