[Openid-specs-ab] Issue #1171: Creating a way to mandate Request Object (by value or by reference) (openid/connect)

Nat issues-reply at bitbucket.org
Thu Jun 4 11:36:15 UTC 2020


New issue 1171: Creating a way to mandate Request Object (by value or by reference)
https://bitbucket.org/openid/connect/issues/1171/creating-a-way-to-mandate-request-object

Nat Sakimura:

This has also come up in OAuth WG. 

Downgrade attack to the protocol that will force the AS to accept plain request instead of request object seems to be possible. 

It was suggested there by Torsten: 

> I suggest to add a server metadata parameter “require\_request\_objects” so the AS can indicate its policy to clients.  

Please discuss.




More information about the Openid-specs-ab mailing list