Stuart Low
Stuart Low
+1 on this, IPv6 ain't a fun time within corporate hub and spoke.
If an ID Token isn't exchanged it will never be encrypted. At this stage I believe ID Token encryption is still required but a Recipient can elect to use code...
This proposal is in contravention of FAPI Conformance Suite which explicitly tests that a PKCE request is accepted (and ignored if unsupported). This is clarified in the description of _fapi-rw-id2-ensure-valid-pkce-succeeds_...
I don't understand why it needs to be explicitly stated, what is wrong with the upstream standards on this that _wouldn't_ requite that validation for hybrid flow anyway?
> We are concerned that one potential 'easy' solution might be to advise intermediaries to **allocate a unique software product to each representative**. This would be highly problematic for those...
I believe this thread and the scope of change required will need to be assessed again based on the "other operational enhancements" additions in the latest rules draft: https://treasury.gov.au/consultation/c2022-315575
FWIW and I'm not so sure _any_ Holder is doing this but the eligibility rule could be read as a "minimum", i.e. voluntary
Implementing this presupposes that all PAR requests will involve an interactive consent flow of a single individual. While that's broadly (but not entirely) true for now, future modes as a...
Adding an addition here that this use case is now _live_ with incidents being raised regarding large numbers of accounts. In the absence of any relief we will now be...
As much as I acknowledge that `defaults` was always an experimental feature the removal of it is a bit bitter sweet without the ability to handle variables in `optional`. One...