[Openid-specs-fapi] Issue #723: Clarifying Message Signing for UserInfo requests/responses in FAPI 2.0 (openid/fapi)
authlete-hide
issues-reply at bitbucket.org
Wed Oct 9 06:44:04 UTC 2024
New issue 723: Clarifying Message Signing for UserInfo requests/responses in FAPI 2.0
https://bitbucket.org/openid/fapi/issues/723/clarifying-message-signing-for-userinfo
hideki ikeda:
If the userinfo requests/responses are considered as protected resource, I think they should be signed in FAPI 2 Message Signing. If that’s the case, why does [5.7. HTTP message signing](https://openid.bitbucket.io/fapi/fapi-2_0-message-signing.html#section-5.7) in the current spec not include requirements for authorization servers? The userinfo endpoint is generally considered as an authorization server’s endpoint but the section 5.7 in the current spec only outlines requirements for “clients” and “resource servers”. Or perhaps the “resource servers” part should be changed to “protected resource endpoints” or something like that.
More information about the Openid-specs-fapi
mailing list