[Openid-specs-fapi] Issue #253: Pushed Request Object - Signed request object shouldn't be used for client authentication (openid/fapi)
issues-reply at bitbucket.org
Fri Jul 19 08:49:33 UTC 2019
New issue 253: Pushed Request Object - Signed request object shouldn't be used for client authentication
The 2nd clause in “5.1. Request Object Request” in “Financial-grade API: Pushed Request Object” says as follows.
> If the request object is signed, the signature serves as means for client authentication
However, the signed request object shouldn't be used for client authentication. Conceptually, this is trying to mix `request_object_signing_alg` and `token_endpoint_auth_signing_alg` \(which is for [RFC 7523](https://tools.ietf.org/html/rfc7523) client assertion\). It is likely that we will encounter undesirable side effects in future.
More information about the Openid-specs-fapi