[Openid-specs-fapi] Regrets for today

Daniel Fett fett at danielfett.de
Wed Oct 28 13:38:48 UTC 2020


Hi all,

unfortunately I can't attend the call today.

Nonetheless, I'd like to draw your attention to two topics on the OAuth
mailing list:

Firstly, a new draft for the "iss" parameter, which we're also using in
FAPI.
https://mailarchive.ietf.org/arch/msg/oauth/U5PHuXAl4fTiQ0df2cLFtpURAvI/

And a security problem when *not* using iss but relying on per-issuer
redirect URIs:
https://mailarchive.ietf.org/arch/msg/oauth/RjbSwFRmLsk0EgAY2Ter-nw66EY/

Note that JARM provides the same protection as the "iss" parameter. FAPI
1 Pt. 2 should therefore be fine.

My plan is to update the FAPI 2 drafts to remove the per-issuer redirect
URIs and to enforce checking the "iss" in the response.

-Daniel

-- 
https://danielfett.de

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20201028/2a50115d/attachment.html>


More information about the Openid-specs-fapi mailing list