- changed status to open
FAPI part 2 should mention/require discovery?
One of the attacks in part2 ( https://openid.net/specs/openid-financial-api-part-2-ID2.html#client-credential-and-authorization-code-phishing-at-token-endpoint ) involves the client developer being socially engineered to configure an incorrect token endpoint controlled by the attacker.
This attack would seem to be impossible if OIDC discovery is used, but FAPI doesn’t mention discovery at all. Should it?
(There are other issues with the current mitigation here, they’re being discussed in another issue.)
Comments (14)
-
-
This is a good idea, but needs further discussion.
-
we need to mention RC 8414 as well given we now also support pure OAuth
-
reporter Agreed Torsten.
Brian also made the point that we should be clear we’re only mandating the discovery document part of OIDC discovery, and not the other parts.
After discussion on today’s call I agreed to draft a pull request.
-
reporter -
assigned issue to
-
assigned issue to
-
reporter Also of note is that OpenBanking in the UK already mandate the discovery document.
-
So does Australian CDR.
-
-
-
-
assigned issue to
-
assigned issue to
-
- changed status to resolved
resolved with this PR: https://bitbucket.org/openid/fapi/pull-requests/161
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment