Hello everyone, in an earlier thread I've posed the following question that might have gotten missed, this might have consequences for the existing implementations of Request Objects in OIDC implementations - its making pure JAR requests incompatible with OIDC Core implementations.
draft 14 of jwsreq (JAR) introduced this language The client MAY send the parameters included in the request object > duplicated in the query parameters as well for the backward > compatibility etc. > > *However, the authorization server supporting thisspecification MUST only > use the parameters included in the requestobject. * Server MUST only use the parameters in the Request Object even if the > same parameter is provided in the query parameter. The Authorization The client MAY send the parameters included in the request object > duplicated in the query parameters as well for the backward > compatibility etc. > > *However, the authorization server supporting thisspecification MUST only > use the parameters included in the requestobject. * Nat, John, everyone - *does this mean a JAR compliant AS ignores everything outside of the request object while OIDC Request Object one merges the two with the ones in the request object being used over ones that are sent in clear?* The OIDC language also includes sections which make sure that some required arguments are still passed outside of the request object with the same value to make sure the request is "valid" OAuth 2.0 request (client_id, response_type), something which an example in the JAR spec does not do. Not having this language means that existing authorization request pipelines can't simply be extended with e.g. a middleware, they need to branch their codepaths. Is an AS required to choose which of the two it follows? Thank you for clarifying this in advance. I think if either the behaviour is the same as in OIDC or different this should be called out in the language to avoid confusion, especially since this already exists in OIDC and likely isn't going to be read in isolation, especially because the Request Object is even called out to be already in place in OIDC in the JAR draft. Best, *Filip*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
