[Openid-specs-fapi] Issue #270: JARM+FAPI-RW+openid client session binding (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Fri Sep 20 07:56:08 UTC 2019

New issue 270: JARM+FAPI-RW+openid client session binding

Joseph Heenan:

I think there’s an odd interaction with JARM and the FAPI-R spec which doesn’t entirely make sense to me. When you’re using FAPI-R\+openid\+jarm, FAPI-R requires that clients send nonce. However nonce isn’t part of the JARM response, so there’s actually nothing binding the JARM response to the client session .

FAPI-RW also specifically excludes this situation from requiring support/use of PKCE. [https://openid.net/specs/openid-financial-api-part-2-wd-05.html#authorization-server](https://openid.net/specs/openid-financial-api-part-2-wd-05.html#authorization-server) : 

> shall require \[RFC7636\] with S256 as the code challenge method for public clients only, if it supports public clients;

\(that clause is somewhat odd anyway as FAPI-RW no longer allows public clients\)

More information about the Openid-specs-fapi mailing list