- marked as enhancement
-
assigned issue to
Unsigned error response
Issue #1703
resolved
One of the foundational design criteria with OIDC Federation was to have end-to-end protection of messages that was not dependent on TLS.
There is one response message that is not protected by an issuer signature and that is the error message.
After discussion between the editors we have decided to add a security consideration describing possible threats that appear as a result of this.
Comments (4)
-
reporter -
- changed component to Federation
-
The following PR resolves this issue
https://bitbucket.org/openid/connect/pull-requests/355 -
- changed status to resolved
- Log in to comment