[Openid-specs-ab] Issue #1644: Security considerations for the Initiating User Registration specification (openid/connect)
Andrii Deinega
issues-reply at bitbucket.org
Thu Sep 22 20:39:12 UTC 2022
New issue 1644: Security considerations for the Initiating User Registration specification
https://bitbucket.org/openid/connect/issues/1644/security-considerations-for-the-initiating
Andrii Deinega:
I'm wondering if the “security consideration“ section should include a suggestion to send the authorization requests as a JWT as a protection against misuse \(a malicious actor can’t add or change a value in the prompt parameter as the integrity of the request is checked by the OP\).
Right now this section is empty, see [https://openid.net/specs/openid-connect-prompt-create-1\_0.html#name-security-considerations](https://openid.net/specs/openid-connect-prompt-create-1_0.html#name-security-considerations).
It might also make sense to include a reference to [RFC 9101](https://datatracker.ietf.org/doc/html/rfc9101) as well.
As a side note, IMO this generic suggestion plays even a more important role for other values of the prompt parameter, say “login“.
More information about the Openid-specs-ab
mailing list