[Openid-specs-fapi] Issue #81: Identify user associated to the access token (openid/fapi)
Pamela Dingle
issues-reply at bitbucket.org
Thu Mar 23 11:54:13 UTC 2017
New issue 81: Identify user associated to the access token
https://bitbucket.org/openid/fapi/issues/81/identify-user-associated-to-the-access
Pamela Dingle:
The read-only spec section 6.2.1 says a resource server "shall identify the associated user to the access token;". But what if the subject isn't a user? What if this particular request is from a legitimate non-human subject?, such as a client application making a B2B call? It is perfectly valid for API security regimes to use 2-legged schemes to access financial APIs, is this simply considered out of scope?
More information about the Openid-specs-fapi
mailing list