[Openid-specs-fapi] Issue #117: CIBA - Signature for succesful token notification (openid/fapi)
issues-reply at bitbucket.org
Mon Jul 17 10:09:00 UTC 2017
New issue 117: CIBA - Signature for succesful token notification
In the CIBA spec, the AS sends a payload similar to the `Succesful Token Response` in OIDC. The connection is authenticated using a bearer token provided by the client.
The CIBA spec is a profile of OIDC and therefore requires an ID Token to be sent in this payload.
Should this ID Token contain an `at_hash` claim so that the client can be assured of the payload integrity?
If an `at_hash` claim is included, should there also be an `rt_hash`?
The current draft requires an `at_hash`.
More information about the Openid-specs-fapi