First of all, thanks to everyone who worked on this draft. (Aaron - special thanks for your time at OSW!). This is also to register our (Backbase) interest in contributing to the draft.
Question on using FiPNA for step-up and similar cases; as long as cookies are not used in the native scenario, how do we communicate the existing session to the authorization challenge endpoint? We already have id_token_hint, but the problem is that ID tokens would generally contain no session identifiers (in some cases they would, e.g. OIDC Front Channel Logout requires the presence of the "sid" claim in the ID token, but again, that's not the general case). Regards, Dmitry
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
