FAPI part 2 - Request Object Endpoint (Successful Response Parameters)
Issue #161
resolved
what is the purpose of including iss and aud in the response?
Is the client supposed to somehow check the values?
Comments (7)
-
-
- changed status to open
-
-
assigned issue to
May I close this ticket?
-
assigned issue to
-
reporter The AS authenticates towards the client with its TLS cert, so it’s not obvious to me why this is needed. Can we discuss this on the next call?
-
-
assigned issue to
what is the purpose of including iss and aud in the response?
Is the client supposed to somehow check the values?
-
assigned issue to
-
reporter - changed component to Pushed Request Uri
what is the purpose of including iss and aud in the response?
Is the client supposed to somehow check the values?
-
reporter - changed status to resolved
issue
#254is about the same topic - Log in to comment
It is a bit of precaution - one of the security targets was to adhere to BCM principles for secure authentication protocols that recommend each protocol messages to identify all the parties involved. So, yes. the client should check that
iss
value is an expected one andaud
value is its client ID. Do we need to spell it out? (Maybe)