[Openid-specs-fapi] Issue #342: sender-constrained auth codes & refresh tokens: what does it mean? (openid/fapi)
Brian Campbell
issues-reply at bitbucket.org
Wed Nov 18 21:30:23 UTC 2020
New issue 342: sender-constrained auth codes & refresh tokens: what does it mean?
https://bitbucket.org/openid/fapi/issues/342/sender-constrained-auth-codes-refresh
Brian Campbell:
Baseline has "shall only issue authorization codes and refresh tokens that are sender-constrained "
What's the intent of having this? The two previous items requiring client auth and PKCE mean a priori that the RT is sender-constrained and the auth code is sender-constrained twice. But this text maybe suggests something else. Or is redundant. I'm not sure.
More information about the Openid-specs-fapi
mailing list