[Openid-specs-fapi] Issue #428: Baseline: Clause 7.4.1 Talks about security issues with authorization requests and responses but incorrectly refers to encrypting authorization 'responses' not requests. (openid/fapi)

Ralph Bragg issues-reply at bitbucket.org
Thu Jul 1 07:03:54 UTC 2021


New issue 428: Baseline: Clause 7.4.1 Talks about security issues with authorization requests and responses but incorrectly refers to encrypting authorization 'responses' not requests.
https://bitbucket.org/openid/fapi/issues/428/baseline-clause-741-talks-about-security

Ralph Bragg:

### 7.4.1.  Authorization request and response

In this document, the authorization request is not encrypted. Thus, it is possible to leak the information contained if the web browser is compromised.

**Authorization response can be encrypted as ID Token can be encrypted.**

  
This should read

Authorization requests can be encrypted and an ID Token can be encrypted to mitigate;



More information about the Openid-specs-fapi mailing list