[Openid-specs-fapi] Issue #509: 2.3.1 Note in Response Mode "query.jwt" (openid/fapi)
Nat
issues-reply at bitbucket.org
Mon Jul 4 14:08:46 UTC 2022
New issue 509: 2.3.1 Note in Response Mode "query.jwt"
https://bitbucket.org/openid/fapi/issues/509/231-note-in-response-mode-queryjwt
Nat Sakimura:
# Comments
JARM appears to only define behaviour for response type code and token and not for the hybrid mode with id\_token. Indeed, it does not make sense to use both “code id\_token” as the response type and use JARM as the response mode so it does make sense. However, the treatment of ID Token comes up in 2.3.1 saying it needs to be encrypted.
> Note: "query.jwt" MUST NOT be used in conjunction with response types that contain "token" or "id\_token" unless the response JWT is encrypted to prevent token leakage in the URL.
# Proposal
Amend the note to read as:
> Note: "query.jwt" MUST NOT be used in conjunction with response types that contain "token" unless the response JWT is encrypted to prevent token leakage in the URL.
More information about the Openid-specs-fapi
mailing list