Call out that client notification endpoint bearer token is not MTLS certificate bound
Issue #230
closed
I believe the intention of the current spec is that the bear token the client gives the authorization server for accessing the client notification endpoint is not bound to a MTLS certificate.
I think we should probably more explicitly say this, and perhaps also make clear that this is presumably okay because the only real consequence of both the bearer token and the auth_req_id leaking would be some kind of denial of service attack where it’s possible for an attacker to cause the client to call the token endpoint before the authentication has actually completed.
Comments (3)
-
reporter
-
reporter
-
assigned issue to
Joseph Heenan
Pull request opened here: https://bitbucket.org/openid/fapi/pull-requests/119/ciba-add-notes-about-ping-and-push-modes
-
assigned issue to
-
reporter
- changed status to closed
CIBA: Add notes about 'ping' and 'push' modes
The ping and push modes have new semantics, and it is worthwhile to explain why push mode is not permitted, and why ping mode's non-sender constrained bearer token does not give rise to any significant concern.
closes
#230closes
#235→ <<cset a0fb98cc1328>>
- Log in to comment
Agreed on call to add a note to this effect.