- edited description
Part 2, Section 5.2.2.: remove response type "code id_token token"
Issue #193
closed
the latest revision of the OAuth 2.0 Security Best Current Practice recommends implementors to discontinue use of response types issuing access tokens in the front channel (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2.1.2).
This also hold true for "code id_token token" since the issued access tokens cannot be sender constraint.
Note: FAPI Part 2 also recommends holder of key, which cannot be fulfilled with "code id_token token"
I suggest to remove "code id_token token"
Comments (7)
-
reporter
-
- changed status to open
Remove.
-
reporter
-
assigned issue to
Torsten Lodderstedt
-
assigned issue to
-
- changed status to closed
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
