[Openid-specs-fapi] Issue #113: awkward logic around client support for OAUTB or MTLS (openid/fapi)
Brian Campbell
issues-reply at bitbucket.org
Thu Jul 6 20:50:39 UTC 2017
New issue 113: awkward logic around client support for OAUTB or MTLS
https://bitbucket.org/openid/fapi/issues/113/awkward-logic-around-client-support-for
Brian Campbell:
Part 2 section 5.2.3 Public Client has "shall support OAUTB as a holder of key mechanism;" and then 5.2.4 Confidential Client has "In addition to the provision to the Public Client and the provisions of clause 5.2.3, the Confidential Client [...] shall support OAUTB or MTLS as a holder of key mechanism;"
I think I understand the intent that a public client needs to do OAUTB while a confidential client needs to do either OAUTB or MTLS. But the way that it reads, in trying to translate that text into logic, it might suggest that support of OAUTB is the only thing that fulfills the requirement because 5.2.3 has "shall support OAUTB" and 5.2.4 picks up that provision.
More information about the Openid-specs-fapi
mailing list