[Openid-specs-fapi] Issue #196: OAuth Security BCP and FAPI (openid/fapi)
issues-reply at bitbucket.org
Wed Dec 19 12:55:49 UTC 2018
New issue 196: OAuth Security BCP and FAPI
As many WG members will be aware there is active work on: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10
As there is an overlap between the authors of the BCP and members of FAPI, and there are common goals between the 2 documents, I think we need to have a discussion on the connection between the documents.
For my perspective I would like to get FAPI to a position where we can categorically state that compliance with FAPI means that the security BCP is being adhered to.
Torsten has mentioned a few differences:
- AS specific redirect_uris (these are only required for public clients)
- PKCE (I actually don't think this is an issue, FAPI1 requires it and FAPI2 requires OIDC hybrid mode)
Other differences that I'm aware of:
- sender-constrained tokens (the BCP has this as a should, however we don't require it in Part 1)
More information about the Openid-specs-fapi