[Openid-specs-fapi] Issue #97: "alg" MUST not be "none" (openid/fapi)

Axel Nennker issues-reply at bitbucket.org
Tue May 16 13:14:31 UTC 2017

New issue 97: "alg" MUST not be "none"

Axel Nennker:

Regarding [Financial_API_WD_002.md](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md?at=master&fileviewer=file-view-default) :
“The authorization server shall verify that the request object is valid and the signature is correct as in clause 6.3 of OIDC.”

How about restricting that “alg” is not “none”?

[OpenId.Core Signed Object](https://openid.net/specs/openid-connect-core-1_0.html#SignedRequestObject)  refers to [OpenId Registration](https://openid.net/specs/openid-connect-registration-1_0.html)  which allows all values for “alg” and explicitly allows “none”.

I think that FAPI should state that "alg" MUST not be "none".

More information about the Openid-specs-fapi mailing list