[Openid-specs-fapi] Issue #193: Part 2, Section 5.2.2.: remove response type "code id_token token" (openid/fapi)
Torsten Lodderstedt
issues-reply at bitbucket.org
Sat Nov 17 13:23:27 UTC 2018
New issue 193: Part 2, Section 5.2.2.: remove response type "code id_token token"
https://bitbucket.org/openid/fapi/issues/193/part-2-section-522-remove-response-type
Torsten Lodderstedt:
the latest revision of the OAuth 2.0 Security Best Current Practice recommends implementors to discontinue use of response types issuing access tokens in the front channel. This also hold true for "code id_token token" since the issued access tokens cannot be sender constraint.
Note: FAPI Part 2 also recommends holder of key, which cannot be fulfilled with "code id_token token"
I suggest to remove "code id_token token"
More information about the Openid-specs-fapi
mailing list