[Openid-specs-fapi] Issue #296: Treatment of subject in id_token used for code detached signature (openid/fapi)
issues-reply at bitbucket.org
Sat Jun 6 08:58:20 UTC 2020
New issue 296: Treatment of subject in id_token used for code detached signature
In the advanced profile, we are proposing to support code id\_token for backwards compability. Sub is a mandatory property however if we are trying to ensure that all of the security properties are met and that no useful information can be intercepted in an untrusted network segment like a user agent should we be mandating that SUB is ephemeral, random, pairwise or something else not related to the end customer.
More information about the Openid-specs-fapi