[Openid-specs-fapi] Issue #160: FAPI part 2 - Request Object Endpoint (client authentication) (openid/fapi)

Torsten Lodderstedt issues-reply at bitbucket.org
Sat Aug 11 16:18:53 UTC 2018

New issue 160: FAPI part 2 -  Request Object Endpoint (client authentication)

Torsten Lodderstedt:

The  Request Object Endpoint is basically a protected endpoint at the AS/OP utilized to push request objects up front to the AS/OP. I like the idea as it moves the burden for managing request objects to the AS.

The endpoint uses a digital signature as mechanism to authenticate the client, which completely differs from the way clients are authenticated at AS endpoints or standard OAuth resource servers.

>From an implementers perspective, this means the endpoint needs to know the client_ids and respective public keys of all clients entitled to use the endpoint. I expect this to make the implementation more complex than needed. 

I suggest to make it a standard OAuth resource and use (cert-bound) access tokens issued based on the client credentials (or any appropriate grant type) to protect it. This way, all standard OAuth mechanisms can be leveraged to implement the endpoint. The endpoint could be even implemented as an extension to OAuth/OpenID products without any extension points or access to internal data.

More information about the Openid-specs-fapi mailing list