[Openid-specs-fapi] Issue #526: Decide on B. Access Token Injection with ID Token Replay (openid/fapi)

[Nat]

New issue 526: Decide on B. Access Token Injection with ID Token Replay
https://bitbucket.org/openid/fapi/issues/526/decide-on-b-access-token-injection-with-id

Nat Sakimura:

The security analysis [https://arxiv.org/pdf/1901.11520.pdf](https://arxiv.org/pdf/1901.11520.pdf) recommends ID Token from the Token Endpoint to include the hash of the access token for FAPI 1.0. 

What should we do for FAPI 2?