[Openid-specs-fapi] Issue #193: Part 2, Section 5.2.2.: remove response type "code id_token token" (openid/fapi)

Torsten Lodderstedt issues-reply at bitbucket.org
Sat Nov 17 13:23:27 UTC 2018


New issue 193: Part 2, Section 5.2.2.: remove response type "code id_token token"
https://bitbucket.org/openid/fapi/issues/193/part-2-section-522-remove-response-type

Torsten Lodderstedt:

the latest revision of the OAuth 2.0 Security Best Current Practice recommends implementors to discontinue use of response types issuing access tokens in the front channel. This also hold true for "code id_token token" since the issued access tokens cannot be sender constraint. 

Note: FAPI Part 2 also recommends holder of key, which cannot be fulfilled with "code id_token token" 

I suggest to remove "code id_token token"




More information about the Openid-specs-fapi mailing list