sender-constrained auth codes & refresh tokens: what does it mean?
Issue #342
resolved
Baseline has "shall only issue authorization codes and refresh tokens that are sender-constrained "
What's the intent of having this? The two previous items requiring client auth and PKCE mean a priori that the RT is sender-constrained and the auth code is sender-constrained twice. But this text maybe suggests something else. Or is redundant. I'm not sure.
Comments (3)
-
-
- changed status to resolved
Fix
#342→ <<cset fdbdc841b576>>
-
- changed component to FAPI2: Security Profile
- Log in to comment
You can never sender-constrain enough. The text is redundant and I’ll remove it.