[Openid-specs-fapi] Issue #446: TLS for Grant Management Endpoint (openid/fapi)
Takahiko Kawasaki
issues-reply at bitbucket.org
Fri Oct 1 06:33:23 UTC 2021
New issue 446: TLS for Grant Management Endpoint
https://bitbucket.org/openid/fapi/issues/446/tls-for-grant-management-endpoint
Takahiko Kawasaki:
The ID1 of [Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html) does not mention explicitly that the grant management endpoint should \(or must\) utilize TLS. If it is written explicitly, an authorization server implementation will be able to have a justifiable reason to prevent any non-https URI from being registered as a value for `grant_management_endpoint`.
cf. Excerpt from CIBA Core 1.0, [7. Backchannel Authentication Endpoint](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_backchannel_endpoint)
> Communication with the Backchannel Authentication Endpoint MUST utilize TLS. See Section 16.17 \[OpenID.Core\] for more information on using TLS.
More information about the Openid-specs-fapi
mailing list