[Openid-specs-fapi] Issue #152: request objects should have iat and exp (openid/fapi)
issues-reply at bitbucket.org
Fri Jul 27 00:25:12 UTC 2018
New issue 152: request objects should have iat and exp
There doesn't seem to be anything in FAPI part 2 that requires request objects to have iat and exp fields.
I believe this would allow an attacker to replay authorisation requests much later on. I'm not sure that's desirable.
Should we be mandating iat & exp?
More information about the Openid-specs-fapi