[Openid-specs-fapi] Issue #622: Review FAPI1 security considerations for clarity (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Wed Aug 9 15:05:54 UTC 2023
New issue 622: Review FAPI1 security considerations for clarity
https://bitbucket.org/openid/fapi/issues/622/review-fapi1-security-considerations-for
Joseph Heenan:
Most recently discussed on [https://bitbucket.org/openid/fapi/pull-requests/429](https://bitbucket.org/openid/fapi/pull-requests/429) - I cannot remember where we previously discussed this, but in FAPI2 we were careful to make the security considerations quite clear on why we felt items from the security analysis were in most cases not real world issues.
e.g. [https://openid.bitbucket.io/fapi/fapi-2\_0-security-profile.html#section-5.6.5](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.6.5) includes language like:
“A pre-condition for this attack is that the attacker has control of an authorization server that is trusted by the client to issue access tokens for the target resource server.”
and
“The pre-conditions for this attack do not apply to many ecosystems and require a powerful attacker.”
We should review the FAPI1 baseline & advanced security considerations and revise them in errata, so that ecosystems adopting FAPI1 do not feel like they need to take measures like requiring at\_hash in id\_tokens unless the very specific criteria apply to them.
More information about the Openid-specs-fapi
mailing list