- changed status to closed
Need tighter explanation of preferred response types
Issue #12
closed
The preferred response type for ASPSPs to implement is in fact code id_token
not just code, because of the extra mitigation that occurs when id_token can be used as a detached signature for the authorization code. This preference is not clearly communicated in the spec.
Please update spec to show that code id_token
is a SHOULD and that other supported options are MAY.
Comments (1)
-
reporter - Log in to comment
security profile: Tighten up explanation of allowed response types
Due to the extra mitigation that occurs when id_token can be used as a detached signature for the authorization code 'code id_token' is the preferred response type.
code is allowed as an interim measure as per email discussion with Ralph/Pam/Dave.
closes
#12→ <<cset 3a10419180fc>>