[Openid-specs-fapi] Issue #152: request objects should have iat and exp (openid/fapi)
Joseph Heenan
issues-reply at bitbucket.org
Fri Jul 27 00:25:12 UTC 2018
New issue 152: request objects should have iat and exp
https://bitbucket.org/openid/fapi/issues/152/request-objects-should-have-iat-and-exp
Joseph Heenan:
There doesn't seem to be anything in FAPI part 2 that requires request objects to have iat and exp fields.
I believe this would allow an attacker to replay authorisation requests much later on. I'm not sure that's desirable.
Should we be mandating iat & exp?
More information about the Openid-specs-fapi
mailing list