[Openid-specs-fapi] Regrets for today

Daniel Fett fett at danielfett.de
Wed Oct 28 13:38:48 UTC 2020

Hi all,

unfortunately I can't attend the call today.

Nonetheless, I'd like to draw your attention to two topics on the OAuth
mailing list:

Firstly, a new draft for the "iss" parameter, which we're also using in

And a security problem when *not* using iss but relying on per-issuer
redirect URIs:

Note that JARM provides the same protection as the "iss" parameter. FAPI
1 Pt. 2 should therefore be fine.

My plan is to update the FAPI 2 drafts to remove the per-issuer redirect
URIs and to enforce checking the "iss" in the response.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20201028/2a50115d/attachment.html>

More information about the Openid-specs-fapi mailing list