[Openid-specs-fapi] External : Re: External : Re: External : FW: OBE JWS Profile - Version 0.10b for Approval
Freddi.Gyara at openbanking.org.uk
Tue Sep 22 13:03:06 UTC 2020
The body is encoded - usually by the library that is meant to generate the JWT
From: Anders Rundgren <anders.rundgren.net at gmail.com>
Sent: 22 September 2020 13:03
To: FAPI Working Group List <openid-specs-fapi at lists.openid.net>; Freddi Gyara <Freddi.Gyara at openbanking.org.uk>
Cc: Brian Campbell <bcampbell at pingidentity.com>
Subject: External : Re: [Openid-specs-fapi] External : Re: External : FW: OBE JWS Profile - Version 0.10b for Approval
On 2020-09-22 10:39, Freddi Gyara via Openid-specs-fapi wrote:
> Around a year ago at least, must JWT libraries did not honour the ‘b64’ header (they simply ignored it). As a result, we ended up with signatures in the ecosystem where participants thought they were unencoded, but actually were and verification methods where they were trying to verify against un-encoded payloads. As you can imagine, it just caused a lot of confusion.
> We paused the implemented under a waiver which expired a few months ago and we are beginning to see very few issues with usage of signatures in the ecosystem (after an initial round of incorrect implementations that have largely been fixed). TBH, payment volumes are low, but increasing and we haven’t seen a similar increase in support tickets or complaints around signature generation and validation.
> The approach that is now followed is to b64 encode and sign the HTTP body, then drop the central part of the resulting JWT (as described in Appendix F).
I don't understand how to interpret this. Do you mean that the HTTP body actually is B64 encoded?
If not, I don't see the point with b64-encoding. I thought that was a part of a JWS library/encoder:
Please consider the environment before printing this email.
This email is from Open Banking Limited, Company Number 10440081. Our registered and postal address is 2 Thomas More Square, London, E1W 1YN. Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.
More information about the Openid-specs-fapi