[Openid-specs-fapi] Issue #100: Signing API response payloads (openid/fapi)
issues-reply at bitbucket.org
Wed May 31 09:13:17 UTC 2017
New issue 100: Signing API response payloads
As discussed on the last FAPI call, there is a use case for signing API response payloads. For example of an FI could make a credit decision based on a user's transaction history it obtains from another FI. In such a case it would like to have that transaction history signed rather than storing it as a raw JSON payload.
We discussed on the call that using JWS is the best approach for this use case and should be recommended in the FAPI spec.
I suggest that this is added to Part 1, Section 6.
The questions I have are what would be the standard set of claims for such JWTs, e.g. `iat`, etc? Should the resource server have the option to serve either plain JSON or JWTs depending on content negotiation?
More information about the Openid-specs-fapi