FAPI part 2 - request object for public clients (signing key?)

Issue #158 resolved
Torsten Lodderstedt created an issue

§5.2.3,#1 requires public clients to use "request" or "request_uri"

How is the client supposed to sign the request object?

Comments (11)

  1. Nat Sakimura

    Good point. It needs more text around it. The premise is that to have the request object signed by the underlying TLS library using the key established for the Token Binding. Perhaps @ve7jtb can chime in and fill the void.

  2. Dave Tonge

    We discussed and agreed to remove the requirement for OAuth Token Binding. This is separate from the public client issue though, so I’ll open another issue for this.

  3. Log in to comment