Part 2: Require redirect_uri to be inside signed request object
Joseph Heenan
Branch: josephheenan/fapi:redirect_uri_inside_request_obj
Branch: openid/fapi:master
Merged
Merged pull request
Merged in josephheenan/fapi/redirect_uri_inside_request_obj (pull request #42)
fixes #128 (or at least fixes the only part it seems we can current fix)
This should help mitigate any attacks that require changing the redirect_uri.
The redirect_uri appears to still be required as a parameter outside the request object for compliance with the current underlying OAuth RFC (although my personal opinion is that this is not clearly stated in the specifications).
The OIDC Core spec is already clear on behaviour in the case where redirect_uri is present in both location:
"When the request parameter is used, the OpenID Connect request parameter values contained in the JWT supersede those passed using the OAuth 2.0 request syntax."