[Openid-specs-fapi] Yet another take on FAPI signatures
anders.rundgren.net at gmail.com
Sun May 20 03:43:25 UTC 2018
As some of you know, I'm not overly convinced that shrouding your precious business data in Base64Url is a great solution.
However, there seems to be a cool way combining Detached JWS with a pretty simple JSON canonicalization scheme:
Is this better than using HTTP headers? I think so because messages remain signed even when stored. As the example above shows, it also works in non-HTTP contexts.
More information about the Openid-specs-fapi