[Openid-specs-fapi] Issue #743: 7.2. Message source authentication failure (openid/fapi)
Hideaki Furukawa
issues-reply at bitbucket.org
Fri May 23 12:14:03 UTC 2025
New issue 743: 7.2. Message source authentication failure
https://bitbucket.org/openid/fapi/issues/743/72-message-source-authentication-failure
Hideaki Furukawa:
[The current text](https://openid.net/specs/openid-financial-api-part-1-1_0.html#message-source-authentication-failure) warns that the authorization request and response are not authenticated, and only mentions that the request objects used in FAPI 1.0 Part 2 is to achieve the message source authentication.
Isn’t the authentication of authorization response missing in the text? Also, could JARM be used for authentication of authorization response?
> 7.2. Message source authentication failure
>
> Authorization request and response are not authenticated. For higher risk scenarios, they should be authenticated. See Financial-grade API Security Profile 1.0 - Part 2: Advanced, which uses request objects to achieve the message source authentication.
More information about the Openid-specs-fapi
mailing list