[Openid-specs-fapi] [Openid-specs-mobile-profile] Source authentication on client notification endpoint

Torsten Lodderstedt torsten at lodderstedt.net
Sun Nov 12 04:01:57 UTC 2017


Hi Dave,

> Am 07.11.2017 um 00:35 schrieb Dave Tonge <dave.tonge at momentumft.co.uk>:
> 
> he token response sent to this endpoint has an id_token. We suggested that this id_token should include an `at_hash`. This will give the client greater assurance that the token response is from the OpenID Provider and of the integrity of the payload. 

can you elaborate on the threat model underpinning this decision? 

best regards,
Torsten.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171112/0cf76f58/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3581 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171112/0cf76f58/attachment.p7s>


More information about the Openid-specs-fapi mailing list