[Openid-specs-fapi] Issue #110: more definition of s_hash (openid/fapi)

Brian Campbell issues-reply at bitbucket.org
Thu Jul 6 20:06:47 UTC 2017

New issue 110: more definition of s_hash

Brian Campbell:

In Issue #109 I've suggested that maybe s_hash isn't needed but, if it does stay, I think it needs a bit more definition. 

OAuth and OIDC both have state as recommended but not required. So the definition of s_hash needs to clearly state what should happen when state was omitted from the authentication request and thus authentication response. I'd assume that s_hash would be omitted from the ID Token when state wasn't present. But I think the document should be explicit about it. 

The document should also probably make an IANA request to register s_hash in the JWT claims registry https://www.iana.org/assignments/jwt/jwt.xhtml#claims

More information about the Openid-specs-fapi mailing list