[Openid-specs-fapi] FW: OBE JWS Profile - Version 0.10b for Approval

Anders Rundgren anders.rundgren.net at gmail.com
Fri Sep 18 08:58:27 UTC 2020


Dave Tonge wrote:
> 
> I think we need to consider moving away from recommending headers for business critical metadata. Really things like ip address, geo-location and other fraud factors should be put in the body of the request.

+100

> Then we can recommend that the simplest and least error prone way of signing can be to turn the request body into a JWT.

It also opens the door to serializeable requests.

Anders


More information about the Openid-specs-fapi mailing list