[Openid-specs-ab] Issue #1171: Creating a way to mandate Request Object (by value or by reference) (openid/connect)
issues-reply at bitbucket.org
Thu Jun 4 11:36:15 UTC 2020
New issue 1171: Creating a way to mandate Request Object (by value or by reference)
This has also come up in OAuth WG.
Downgrade attack to the protocol that will force the AS to accept plain request instead of request object seems to be possible.
It was suggested there by Torsten:
> I suggest to add a server metadata parameter “require\_request\_objects” so the AS can indicate its policy to clients.
More information about the Openid-specs-ab