[Openid-specs-fapi] Alive and kicking: draft-cavage-http-signatures
anders.rundgren.net at gmail.com
Thu Mar 14 12:33:05 UTC 2019
On 2019-03-13 18:31, Joseph Heenan wrote:
>> On 13 Mar 2019, at 17:13, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
>> BTW, where does the FAPI signature solution stand standards-wise?
>> It is not obvious that the FAPI signature solution actually is RESTful; maybe I'm missing something here?
> FAPI doesn’t have a request signature solution in the way being talked about in this thread; that section of the spec refers to an alternate way to pass the OpenID Connect request object to the authorisation server prior to redirecting the user to the authorisation endpoint.
> I believe in this thread we’re all talking about sending signed requests / responses to/from the resource server, which FAPI does not currently say anything about.
Wouldn't both scenarios be possible to cover with a single solution? The use-case seems from a purely technical point of view be the same.
More information about the Openid-specs-fapi