[Openid-specs-fapi] Issue #270: JARM+FAPI-RW+openid client session binding (openid/fapi)
Joseph Heenan
issues-reply at bitbucket.org
Fri Sep 20 07:56:08 UTC 2019
New issue 270: JARM+FAPI-RW+openid client session binding
https://bitbucket.org/openid/fapi/issues/270/jarm-fapi-rw-openid-client-session-binding
Joseph Heenan:
I think there’s an odd interaction with JARM and the FAPI-R spec which doesn’t entirely make sense to me. When you’re using FAPI-R\+openid\+jarm, FAPI-R requires that clients send nonce. However nonce isn’t part of the JARM response, so there’s actually nothing binding the JARM response to the client session .
FAPI-RW also specifically excludes this situation from requiring support/use of PKCE. [https://openid.net/specs/openid-financial-api-part-2-wd-05.html#authorization-server](https://openid.net/specs/openid-financial-api-part-2-wd-05.html#authorization-server) :
> shall require \[RFC7636\] with S256 as the code challenge method for public clients only, if it supports public clients;
\(that clause is somewhat odd anyway as FAPI-RW no longer allows public clients\)
More information about the Openid-specs-fapi
mailing list