openid / fapi / issues / #161 - FAPI part 2 - Request Object Endpoint (Successful Response Parameters)

Issue #161 resolved

Torsten Lodderstedt created an issue 2018-08-11

what is the purpose of including iss and aud in the response?

Is the client supposed to somehow check the values?

Comments (7)

Nat Sakimura
It is a bit of precaution - one of the security targets was to adhere to BCM principles for secure authentication protocols that recommend each protocol messages to identify all the parties involved. So, yes. the client should check that iss value is an expected one and aud value is its client ID. Do we need to spell it out? (Maybe)
- 2018-08-14T05:54:37+00:00
Nat Sakimura
- changed status to open
- 2018-08-14T06:22:34+00:00
Nat Sakimura
- assigned issue to
  
  Torsten Lodderstedt
May I close this ticket?
- 2019-05-15T14:23:52+00:00
Torsten Lodderstedt reporter
The AS authenticates towards the client with its TLS cert, so it’s not obvious to me why this is needed. Can we discuss this on the next call?
- 2019-05-15T14:32:06+00:00
Nat Sakimura
- assigned issue to
  
  Dave Tonge
what is the purpose of including iss and aud in the response?

Is the client supposed to somehow check the values?
- 2019-05-15T14:35:48+00:00
Torsten Lodderstedt reporter
- changed component to Pushed Request Uri
what is the purpose of including iss and aud in the response?

Is the client supposed to somehow check the values?
- 2019-05-30T13:47:17+00:00
Torsten Lodderstedt reporter
- changed status to resolved
issue ~~#254~~ is about the same topic
- 2019-08-30T10:47:48+00:00
Log in to comment