[Openid-specs-fapi] Issue #258: False info in the introduction (openid/fapi)

Nat issues-reply at bitbucket.org
Sat Jul 27 14:07:14 UTC 2019


New issue 258: False info in the introduction
https://bitbucket.org/openid/fapi/issues/258/false-info-in-the-introduction

Nat Sakimura:

Currently, it says: 

> However, the request URI mechanisms also has some downsides. The client needs to maintain and expose request objects. This might look easy on first sight, but the client needs to be able to handle inbound requests from the authorization server and, potentially, store a large number of objects in its database including the need to properly clean them up.
>
> It also means the availability and latency of the authorization process at the authorization server depends on the availability and latency of the client’s backend.
>
> Moreover, in order to dereference the `request_uri` parameter the authorization has to make outbound HTTP requests, which brings with it all the potential problems of server-side request forgery.

They are all false. The request object can be at the Authorization Server or at the Client or at a Third Party. 

In addition, Push Request Object pattern is useful not only in the case of pushing it to AS but also a Third Party.




More information about the Openid-specs-fapi mailing list