[Openid-specs-fapi] Issue #459: Should JARM be mandated for code flow with PAR and PKCE? (openid/fapi)
Dima Postnikov
issues-reply at bitbucket.org
Tue Nov 23 12:42:03 UTC 2021
New issue 459: Should JARM be mandated for code flow with PAR and PKCE?
https://bitbucket.org/openid/fapi/issues/459/should-jarm-be-mandated-for-code-flow-with
Dima Postnikov:
FAPI 1 Advanced currently:
* allows PAR \(MAY\),
* use of PAR mandates PKCE \(SHALL\)
* allows to use `code` flow
> shall require
>
> the `response_type` value `code id_token`, or
>
> the `response_type` value `code` in conjunction with the `response_mode` value `jwt`;
* use of code flow mandates JARM
> In addition, if the `response_type` value `code` is used in conjunction with the `response_mode` value `jwt`, the authorization server
>
> shall create JWT-secured authorization responses as specified in [JARM](https://bitbucket.org/openid/fapi/src/master/Financial_API_JWT_Secured_Authorization_Response_Mode.md), Section 4.3.
Is there a need to mandate JARM if code flow is used with PAR and PKCE? This requirement didn’t seem to come from the attacker model.
May be it JARM requirement can be relaxed?
Thoughts?
Responsible: Dima Postnikov
More information about the Openid-specs-fapi
mailing list