Comments (5)

1. 

   Torsten Lodderstedt

   I think we could point out that encrypted JARM could be utilised to prevent PII in any of the response artefacts to leak.

   • 2022-07-05T16:57:23+00:00
2. 

   Nat Sakimura reporter

   So, perhaps:

   7. Privacy Considerations

   As JARM is a response mode for OAuth, all the privacy considerations towards OAuth apply. In addition, the following apply.

   7.1 PII in Authorization Response

   If only code and state parameters are returned in the Authorization Response for a confidential client, since they are used only once, and code needs a client credential to be redeemed, they pose a relatively low privacy risk. However, it is possible that other extensions return PII in the Authorization Response. In such a case, encrypted JARM could be utilised to prevent uncovering of their values lowering the privacy risk.

   In the case of a public client, just leaking the code would have a greater privacy impact as it can be redeemed for an Access Token which could be exchanged with PII. In this case, encrypted JARM could be utilised to lower the risk as well.

   ‌

   • 2022-07-05T17:10:13+00:00
3. 

   Nat Sakimura reporter

   • changed status to open

   Accepted in principle. Mandate to the editor given.

   The last paragraph may need to be dropped.

   • 2022-07-06T14:35:54+00:00
4. 

   Brian Campbell

   PR #353

   • 2022-07-11T20:04:03+00:00
5. 

   Brian Campbell

   • changed status to resolved

   • 2022-07-13T15:36:52+00:00
6. Log in to comment