[Openid-specs-risc] openid/sharedsignals: Comment created on issue 308
github at oidf.org
github at oidf.org
Tue Dec 9 16:23:25 UTC 2025
openid/sharedsignals event
Issue Comment created on issue 308
Issue Title: CAEP interop profile - Access token related queries from certification team
https://github.com/openid/sharedsignals/issues/308
Comment: Thoughts: - I think using a short-lived token without DPoP is OK. The spec recommends using a short-lived token. The conformance test need not worry about token lifetime though. - Using short-lived token is probably not as good as using DPoP or MTLS, but it is a practical limitation of implementations today, and still keeps the security properties reasonable. - We can remove language around the authorization code flow. As far as I can see, it is only mentioned as an example in section 2.7.1 of short-lived tokens in the FAPI draft, not something we should expect in SSF.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20251209/502319aa/attachment.htm>
More information about the Openid-specs-risc
mailing list