Hi Hervé > On 18 Nov 2019, at 14:20, Robache Hervé <herve.roba...@stet.eu> wrote: > > Thanks Joseph > > I agree with you. There should be no issue when the URL is registered during > the TPP app installation. > > From my perspective, this URL should be passed during the authorization > request within the [redirect_uri] field.
Exactly, and that same url should have been pre-registered with the authorization server. > > By the way, most of the French banks will use Oauth2 AC and not OpenId > Connect. I guess that the sequence diagram is roughly the same, isn’t it? Correct; pretty much exactly the same as I presume you’d still be using the authorization code flow. The security concerns for app2app are very similar to basic OAuth2 / OpenID Connect, and to quickly sum those up for anyone reading this that's not familiar with those concerns: it’s very easy to do something that has undesirable security properties, and you should follow documents like FAPI-RW (an OpenID Connect based standard originally, but now JARM exists and has some vendor adoption OpenID Connect is not required) or the OAuth2 security BCP, to ensure your implementation is not vulnerable to the known attacks against OAuth2. Cheers Joseph
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
