[Openid-specs-fapi] Issue #97: "alg" MUST not be "none" (openid/fapi)
Axel Nennker
issues-reply at bitbucket.org
Tue May 16 13:14:31 UTC 2017
New issue 97: "alg" MUST not be "none"
https://bitbucket.org/openid/fapi/issues/97/alg-must-not-be-none
Axel Nennker:
Regarding [Financial_API_WD_002.md](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md?at=master&fileviewer=file-view-default) :
“The authorization server shall verify that the request object is valid and the signature is correct as in clause 6.3 of OIDC.”
How about restricting that “alg” is not “none”?
[OpenId.Core Signed Object](https://openid.net/specs/openid-connect-core-1_0.html#SignedRequestObject) refers to [OpenId Registration](https://openid.net/specs/openid-connect-registration-1_0.html) which allows all values for “alg” and explicitly allows “none”.
I think that FAPI should state that "alg" MUST not be "none".
More information about the Openid-specs-fapi
mailing list