[Openid-specs-fapi] Issue #152: request objects should have iat and exp (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Fri Jul 27 00:25:12 UTC 2018


New issue 152: request objects should have iat and exp
https://bitbucket.org/openid/fapi/issues/152/request-objects-should-have-iat-and-exp

Joseph Heenan:

There doesn't seem to be anything in FAPI part 2 that requires request objects to have iat and exp fields.

I believe this would allow an attacker to replay authorisation requests much later on. I'm not sure that's desirable.

Should we be mandating iat & exp?




More information about the Openid-specs-fapi mailing list