[Openid-specs-fapi] Issue #502: Is nonce required with JARM? (openid/fapi)
Dima Postnikov
issues-reply at bitbucket.org
Wed Jun 8 14:55:00 UTC 2022
New issue 502: Is nonce required with JARM?
https://bitbucket.org/openid/fapi/issues/502/is-nonce-required-with-jarm
Dima Postnikov:
Comment from Nat from a JARM thread:
> This conversation also made me became aware of the subtle difference in the security posture.
>
> It may well be a bug of FAPI 1.0 Advanced.
>
> In the case of hybrid flow, \`nonce\` is required while in the case of JARM, it is not.
>
> So the binding characteristics between the authorization request and token response is a bit different between them, probably a bit weaker in the case of reponse\_mode=jwt \(JARM\).
More information about the Openid-specs-fapi
mailing list