CustomerId == sub == x-fapi-customer-id: Should standardize as sub

Issue #66 resolved
Nat Sakimura created an issue

In the spec, there are three ways to express semantically equal thing.

CustomerId == sub == x-fapi-customer-id

As an OIDC related spec, it should standardize on sub.

Also, the http header value for this fixed value may not be trustworthy as it is not a secret and can be reproduced by anyone. So it should not be relied upon. Perhaps, it should be removed from the Security parts and moved to Part 4 to make sure that people does not misunderstand that this is a security feature.

Comments (3)

  1. Nat Sakimura reporter

    Removing this line:

    • can optionally supply the sub value associated with the customer with the x-fapi-customer-id request header, e.g., x-fapi-customer-id: a237cb74-61c9-4319-9fc5-ff5812778d6b;

    Other bullets in the same bullet list needs to be re-evaluated again towards the final though. They are useful, but again, they are not be reliable security feature.

  2. Log in to comment