V51 OAuth: Add verification for PAR #2042
Assignees
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
V51
Group issues related to OAuth
_5.0 - prep
This needs to be addressed to prepare 5.0
Comments
tghosth
added
1) Discussion ongoing
|
@TobiasAhnoff or @randomstuff - please explain, what security problem it solves? |
|
The client can make sure that the user does not tamper with the content of the authorization request such as:
Moreover this aligns with FAPI 2.0? |
|
Yes, PAR closes a number of tampering issues (integrity protection for the auth request), see e g https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-main-differences-to-fapi-10 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
PAR is part of FAPI 2 requirements and the following verification is suggested to address PAR:
V51.2 Authorization Server
Verify that grant type 'code' is always used together with PAR requiring client authentication (for L1-L2 PAR is optional and could be used without client authentication). (L3)
The text was updated successfully, but these errors were encountered: