[Openid-specs-fapi] Issue #745: JARM Downgrade (openid/fapi)
Yaron Zehavi
issues-reply at bitbucket.org
Sun Jun 1 21:03:39 UTC 2025
New issue 745: JARM Downgrade
https://bitbucket.org/openid/fapi/issues/745/jarm-downgrade
Yaron Zehavi:
The JARM spec doesn’t specify how a Relying Party should handle a situation where it’s request of JARM response is ignored by the OpenID Provider, for example by returning instead of the expected JWT response, the code \+ state \+ iss query parameters.
Such a scenario may be viewed as a downgrade of a security mechanism, which RP should identify and potentially also reject. Perhaps rejection should be only in case OP explicitly published its JARM support using `response_modes_supported`
More information about the Openid-specs-fapi
mailing list