[Openid-specs-fapi] Issue #110: more definition of s_hash (openid/fapi)
Brian Campbell
issues-reply at bitbucket.org
Thu Jul 6 20:06:47 UTC 2017
New issue 110: more definition of s_hash
https://bitbucket.org/openid/fapi/issues/110/more-definition-of-s_hash
Brian Campbell:
In Issue #109 I've suggested that maybe s_hash isn't needed but, if it does stay, I think it needs a bit more definition.
OAuth and OIDC both have state as recommended but not required. So the definition of s_hash needs to clearly state what should happen when state was omitted from the authentication request and thus authentication response. I'd assume that s_hash would be omitted from the ID Token when state wasn't present. But I think the document should be explicit about it.
The document should also probably make an IANA request to register s_hash in the JWT claims registry https://www.iana.org/assignments/jwt/jwt.xhtml#claims
More information about the Openid-specs-fapi
mailing list