[Openid-specs-fapi] Regrets for today
fett at danielfett.de
Wed Oct 28 13:38:48 UTC 2020
unfortunately I can't attend the call today.
Nonetheless, I'd like to draw your attention to two topics on the OAuth
Firstly, a new draft for the "iss" parameter, which we're also using in
And a security problem when *not* using iss but relying on per-issuer
Note that JARM provides the same protection as the "iss" parameter. FAPI
1 Pt. 2 should therefore be fine.
My plan is to update the FAPI 2 drafts to remove the per-issuer redirect
URIs and to enforce checking the "iss" in the response.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi