[Openid-specs-fapi] Issue #413: FAPI2 Baseline: Sender-Constrained Authorization Code (openid/fapi)

Takahiko Kawasaki issues-reply at bitbucket.org
Wed May 26 03:00:08 UTC 2021

New issue 413: FAPI2 Baseline: Sender-Constrained Authorization Code

Takahiko Kawasaki:

[FAPI 2.0 Baseline Profile \(20 May 2021\)](https://openid.net/specs/fapi-2_0-baseline-00.html), [2.2.1. Requirements for Authorization Servers](https://openid.net/specs/fapi-2_0-baseline-00.html#name-requirements-for-authorizat), The 12th clause:

> 12. shall only issue authorization codes and refresh tokens that are sender-constrained

To sender-constrain authorization codes, DPoP is the only solution at this moment, isn’t it?

[FAPI 1.0 ID1 Part2](https://openid.net/specs/openid-financial-api-part-2-ID1.html) had a similar requirement which assumes MTLS \(and Token Binding\) \(e.g. 5.2.2-5, 8.3.2\), but the requirement was dropped due to its impracticality \(cf. [\[Issue 202\] authorization code and refresh token must be holder of key bound](https://bitbucket.org/openid/fapi/issues/202)\).

Sorry if this has already been discussed in the WG and the clause is the agreed result of the discussion.

More information about the Openid-specs-fapi mailing list