[Openid-specs-fapi] Issue #642: Continuation of #619 -- Add some text to make the readers aware of the caveats. (openid/fapi)
Nat
issues-reply at bitbucket.org
Tue Jan 9 05:44:23 UTC 2024
New issue 642: Continuation of #619 -- Add some text to make the readers aware of the caveats.
https://bitbucket.org/openid/fapi/issues/642/continuation-of-619-add-some-text-to-make
Nat Sakimura:
The current scope is:
> This specification is a general purpose high security profile of OAuth 2.0 that has been proved by formal analysis to meet the stated attacker model. This document specifies the requirements for:
>
> \* Confidential Clients to securely obtain OAuth tokens from Authorization Servers;
>
> \* Confidential Clients to securely use those tokens to access protected resources at Resource Servers;
>
> \* Authorization Servers to securely issue OAuth tokens to confidential Clients;
>
> \* Resource Servers to securely accept and verify OAuth tokens from confidential Clients.
Proposes to add the following text at the end of it:
> This document is applicable to the case where an end user is logged in at a client using OpenID Connect based on ID Token, and in the case an end user is not logged in at a client in which case the client identifies the user \(agent\) by a cookie \(that cookie is not bound to an identity, only to an authorization grant flow\).
It is related to #619.
More information about the Openid-specs-fapi
mailing list