-
assigned issue to
Add Guidance for the use of FAPI for payments
Issue #172
resolved
Payments are interesting from an OAuth perspective and there are many mistakes that implementers may make, for example:
- Executing the payment immediately after user authorisation rather than waiting for the RP to exchange the auth code for a token and hit a "confirm" or "complete" endpoint
- Using a scope value to represent a staged payment resource, but not adequately protecting that scope value
I suggest that we add some guidance around these issues.
Comments (9)
-
-
- changed status to open
-
added text on first topic with more generic wording (session fixation) https://bitbucket.org/openid/fapi/commits/4c9652efbd6d5be7b703aba31cb555fcaebd55b4
Not sure about the scope swap/modification attack - @dgtonge can you describe the attack first?
-
-
assigned issue to
-
assigned issue to
-
reporter -
- changed status to resolved
Merged in Add-Guidance-for-the-use-of-FAPI-for-payments (pull request #103) Fixed
#172.added section on session fixation
Approved-by: Nat Sakimura sakimura@gmail.com Approved-by: Joseph Heenan joseph@authlete.com
→ <<cset 5f86ad8bd3bf>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment