"alg" MUST not be "none"

Issue #97 resolved
Axel Nennker created an issue

Regarding Financial_API_WD_002.md : “The authorization server shall verify that the request object is valid and the signature is correct as in clause 6.3 of OIDC.”

How about restricting that “alg” is not “none”?

OpenId.Core Signed Object refers to OpenId Registration which allows all values for “alg” and explicitly allows “none”.

I think that FAPI should state that "alg" MUST not be "none".

Comments (2)

  1. Nat Sakimura

    Yes. Very good idea. Actually, in the security consideration, it is listing the allowed algs but explicitly stating it in the main text is good.

  2. Log in to comment