Add Guidance for the use of FAPI for payments

Issue #172 resolved
Dave Tonge created an issue

Payments are interesting from an OAuth perspective and there are many mistakes that implementers may make, for example:

  • Executing the payment immediately after user authorisation rather than waiting for the RP to exchange the auth code for a token and hit a "confirm" or "complete" endpoint
  • Using a scope value to represent a staged payment resource, but not adequately protecting that scope value

I suggest that we add some guidance around these issues.

Comments (6)

  1. Log in to comment