[Openid-specs-fapi] Questions about Authorization Server Requirements
Joe DeCock
joe at duendesoftware.com
Fri Feb 14 14:15:17 UTC 2025
Hello everyone,
I'm excited for FAPI 2.0 to hopefully reach Final status soon, and I've
been getting into some implementation details for authorization
servers (section
5.3.2.1
<https://openid.bitbucket.io/fapi/fapi-security-profile-2_0.html#section-5.3.2.1>),
which has raised a few questions:
1. Item 13 discusses the clock skew that authorization servers should
account for when validating iat and nbf claims of JWTs. Which JWTs need to
be handled in this way?
- private_key_jwt authentication
- dpop proof tokens
- access tokens that happen to be JWTs (used at e.g., the userinfo or
introspection endpoint)
- JAR request objects, if you're using them. Even though the section on
differences with FAPI 1 suggests that PAR replaces JAR in FAPI 2, it is
valid to combine them and not as far as I can tell not prohibited.
- ID tokens being passed as an id_token_hint
2. Why is exp not handled similarly?
3. What's the intention of item 10 saying "may"? I take it as a suggestion,
but not a strict requirement.
Thanks very much,
Joe DeCock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20250214/820fbb25/attachment.htm>
More information about the Openid-specs-fapi
mailing list