openid / fapi / issues / #97 - "alg" MUST not be "none" — Bitbucket

Issue #97 resolved

Axel Nennker created an issue 2017-05-16

Regarding Financial_API_WD_002.md : “The authorization server shall verify that the request object is valid and the signature is correct as in clause 6.3 of OIDC.”

How about restricting that “alg” is not “none”?

OpenId.Core Signed Object refers to OpenId Registration which allows all values for “alg” and explicitly allows “none”.

I think that FAPI should state that "alg" MUST not be "none".

Comments (5)

Nat Sakimura
Yes. Very good idea. Actually, in the security consideration, it is listing the allowed algs but explicitly stating it in the main text is good.
- 2017-05-16T14:09:33+00:00
Edmund Jay
- changed status to resolved
fixes ~~#97~~- "alg" MUST not be "none"

→ <<cset 8de7e2557e1c>>
- 2017-05-16T17:58:27+00:00
Nat Sakimura
- changed component to Part 2: Advanced
- 2022-12-14T15:36:07+00:00
Nat Sakimura
- changed component to FAPI 1 – Part 2: Advanced
- 2022-12-14T15:36:41+00:00
Nat Sakimura
- changed component to FAPI 1: Advanced
- 2022-12-14T15:38:51+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Component: FAPI 1: Advanced

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!