"alg" MUST not be "none"
Issue #97
resolved
Regarding Financial_API_WD_002.md : “The authorization server shall verify that the request object is valid and the signature is correct as in clause 6.3 of OIDC.”
How about restricting that “alg” is not “none”?
OpenId.Core Signed Object refers to OpenId Registration which allows all values for “alg” and explicitly allows “none”.
I think that FAPI should state that "alg" MUST not be "none".
Comments (5)
-
-
- changed status to resolved
fixes
#97- "alg" MUST not be "none"→ <<cset 8de7e2557e1c>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
Yes. Very good idea. Actually, in the security consideration, it is listing the allowed algs but explicitly stating it in the main text is good.