In https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-6, it
is stated that an error is to be returned when the object request is
invalid. These errors are "invalid_request_uri" and
"invalid_request_object".
However, to which redirect URI redirect in the following cases:
* the request object is invalid (eg. invalid signature), should we still
use client_id/redirect_uri of the invalid request object?
* the request URI could not be reached
* the request object is encrypted and cannot be decrypted (bad key)
Would it be acceptable to use the "client_id" and "redirect_uri" request
query parameters in such a case? Although it contradicts the current
specification which states that they shall not be used, and it would
defeat confidentiality when using encryption.
Another option is not redirecting and displaying the error message on
the AS, like when the client_id is unknown for instance.
Also I don't get the example in
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-5.2.2 :
https://server.example.com/authorize?
response_type=code%20id_token
&client_id=s6BhdRkqt3
&request_uri=https%3A%2F%2Ftfp.example.org%2Frequest.jwt
%23GkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM
&state=af0ifjsldkj
in regards to the following statement in
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-5 :
The client MAY send the parameters included in the request object
duplicated in the query parameters as well for the backward
compatibility etc. However, the authorization server supporting this
specification MUST only use the parameters included in the request
object.
My understanding is that "response_type", "client_id" and "state" will
be ignored by a JAR-compliant OAuth2 server. Isn't it confusing to add
them to the example?
Maybe I've missed something?
Regards,
--
Tangui
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
