Message source authentication failure -

Issue #51 closed
Dave Tonge created an issue

https://bitbucket.org/openid/fapi/annotate/d4edc14c0b76155c97623edb521bfdc56afd64b7/Financial_API_WD_001.md?at=master&fileviewer=file-view-default#Financial_API_WD_001.md-297

I think the wording of this paragraph could be improved. Also is this strictly correct? We recommend TLS mutual authentication which would allow authentication of part of the authorization flow?

Comments (5)

  1. Nat Sakimura

    Agreed that wording can be improved. As to the correctness is concerned, it is. Even if we do TLS mutual authentication, it only applies to the Token Request and the Authorization Request is not source authenticated as it goes through the browser redirect. Late binding of authentication does not work here as it does not protect against injection attacks etc.

  2. Nat Sakimura

    Use of signed request object / request uri. OR use of OAuth JAR.

    They are actually the same thing by the way. That should pretty much remove all the insecurity. I and John designed it to be able to meet LoA 4 requirements.

  3. Log in to comment