FAPI part 2 should mention/require discovery?

Issue #239 resolved
Joseph Heenan created an issue

One of the attacks in part2 ( https://openid.net/specs/openid-financial-api-part-2-ID2.html#client-credential-and-authorization-code-phishing-at-token-endpoint ) involves the client developer being socially engineered to configure an incorrect token endpoint controlled by the attacker.

This attack would seem to be impossible if OIDC discovery is used, but FAPI doesn’t mention discovery at all. Should it?

(There are other issues with the current mitigation here, they’re being discussed in another issue.)

Comments (11)

  1. Joseph Heenan reporter

    Agreed Torsten.

    Brian also made the point that we should be clear we’re only mandating the discovery document part of OIDC discovery, and not the other parts.

    After discussion on today’s call I agreed to draft a pull request.

  2. Log in to comment