[Openid-specs-fapi] Issue #136: responsibility (openid/fapi)
thomasclinganjones at gmail.com
Mon Mar 5 13:05:52 UTC 2018
perhaps my language is not clear then.
As i understand it, the AS gets a grant, which actually comes from the
client and responds with a token, the explicit assumption is that the user
trust the OP to make that at the user's consent.
What i believe MUST be in scope for this to make any sense is that the user
knows who the client is and trust the clients to act on the user's behalf.
If that is not in scope then this spec is actually meaningless from the
I understand that is out of scope in Open ID Connect, but must be fro this
profile. That is why i also added the strong ID part for the client.
In a nutshell:
THE USER MUST BE ABLE TO TRUST ANY ENTITY THAT ACTS ON THE USER'S BEHALF TO
TAKE MONEY OUT OF THE USER ACCOUNT..
If that is not in scope we have failed the user.
On Fri, Mar 2, 2018 at 3:05 PM, tomcjones via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:
> New issue 136: responsibility
> Add a clarifying comment to FAPI #2
> Following this profile as written is not sufficient to prove the user
> bears responsibility for the security of the transaction.
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi