On 14/01/2020 06:46, Benjamin Kaduk wrote: > On Mon, Jan 13, 2020 at 12:32:41PM -0500, Justin Richer wrote: >> To be clear, I’m not saying we suggest a particular form, and I agree that >> we shouldn’t specify that “it’s a JWT” or something of that nature. But if >> we call the result of PAR “thing X” and the target of request_uri “thing X” >> in JAR, then we’re compatible without saying what “thing X” needs to be in >> all cases. >> > That seems fair. What properties would a given "thing X" need to have in > order to work, though -- uniqueness over a specific period of time? > Unpredictability? More?
1. That the request_uri uniquely points to the submitted authZ request
for the duration of the request_uri lifetime (defined by the
expires_in response parameter).
2. The request_uri cannot be reasonably guessed.
I think that's all we need Ben.
Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
