I can get by not having to have the minimum oauth request parameters, but the current language does not imply that one can use the parameters if they’re not present in the Request Object.
That derails JAR from its OIDC variant. Odesláno z iPhonu 28. 8. 2019 v 10:48, Torsten Lodderstedt <tors...@lodderstedt.net>: > Hi Filip, > > In my understanding, duplication of request parameters outside of the request > object was necessary in the OIDC variant in order to retain OAuth compliance. > JAR as an OAuth extension will not require the client to duplicate OAuth > request parameters outside of the request object. > > There might potentially be reasons for merging (different) URI request > parameters with parameters passed in the request object in cases where long > living request objects are used. > > kind regards, > Torsten. > >> On 27. Aug 2019, at 13:46, Filip Skokan <panva...@gmail.com> wrote: >> >> Hello everyone, >> >> in an earlier thread I've posed the following question that might have >> gotten missed, this might have consequences for the existing implementations >> of Request Objects in OIDC implementations - its making pure JAR requests >> incompatible with OIDC Core implementations. >> >> draft 14 of jwsreq (JAR) introduced this language >> >> The client MAY send the parameters included in the request object >> duplicated in the query parameters as well for the backward >> compatibility etc. However, the authorization server supporting this >> specification MUST only use the parameters included in the request >> object. >> >> Server MUST only use the parameters in the Request Object even if the >> same parameter is provided in the query parameter. The Authorization >> >> The client MAY send the parameters included in the request object >> duplicated in the query parameters as well for the backward >> compatibility etc. However, the authorization server supporting this >> specification MUST only use the parameters included in the request >> object. >> >> Nat, John, everyone - does this mean a JAR compliant AS ignores everything >> outside of the request object while OIDC Request Object one merges the two >> with the ones in the request object being used over ones that are sent in >> clear? The OIDC language also includes sections which make sure that some >> required arguments are still passed outside of the request object with the >> same value to make sure the request is "valid" OAuth 2.0 request (client_id, >> response_type), something which an example in the JAR spec does not do. Not >> having this language means that existing authorization request pipelines >> can't simply be extended with e.g. a middleware, they need to branch their >> codepaths. >> >> Is an AS required to choose which of the two it follows? >> >> Thank you for clarifying this in advance. I think if either the behaviour is >> the same as in OIDC or different this should be called out in the language >> to avoid confusion, especially since this already exists in OIDC and likely >> isn't going to be read in isolation, especially because the Request Object >> is even called out to be already in place in OIDC in the JAR draft. >> >> Best, >> Filip >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
