[Openid-specs-fapi] Regrets for today
Daniel Fett
fett at danielfett.de
Wed Oct 28 13:38:48 UTC 2020
Hi all,
unfortunately I can't attend the call today.
Nonetheless, I'd like to draw your attention to two topics on the OAuth
mailing list:
Firstly, a new draft for the "iss" parameter, which we're also using in
FAPI.
https://mailarchive.ietf.org/arch/msg/oauth/U5PHuXAl4fTiQ0df2cLFtpURAvI/
And a security problem when *not* using iss but relying on per-issuer
redirect URIs:
https://mailarchive.ietf.org/arch/msg/oauth/RjbSwFRmLsk0EgAY2Ter-nw66EY/
Note that JARM provides the same protection as the "iss" parameter. FAPI
1 Pt. 2 should therefore be fine.
My plan is to update the FAPI 2 drafts to remove the per-issuer redirect
URIs and to enforce checking the "iss" in the response.
-Daniel
--
https://danielfett.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20201028/2a50115d/attachment.html>
More information about the Openid-specs-fapi
mailing list