I just want to add that the requirement to validate the request at PAR the same
way as you would at the auth endpoint is something that I want to see relaxed,
and I hope it doesn’t make it through to the final standard.
Also keep in mind that this is barely started as a WG document so any
requ
A little more context about that proposed wording is in a github issue at
https://github.com/oauthstuff/draft-oauth-par/issues/38, which is different
driver than allowing a PAR endpoint to stash the encrypted request object
rather than decrypting/validating it. But it's kind of the same concept at
On 07/01/2020 00:22, Filip Skokan wrote:
> We've been discussing making the following change to the language
>
> The AS SHOULD validate the request in the same way as at the
> authorization endpoint. The AS MUST ensure that all parameters to
> the authorization request are still valid a
Just to comment that with a lightweight PAR (stash-only) endpoint one of
the nice benefits of PAR will be lost - to pre-validate the request
(client_id, redirect_uri, etc) as much as possible before a front-end
call is made and the user is sent to the authZ endpoint.
Vladimir
On 06/01/2020 23:59,
We've been discussing making the following change to the language
The AS SHOULD validate the request in the same way as at the authorization
> endpoint. The AS MUST ensure that all parameters to the authorization
> request are still valid at the time when the request URI is used.
>
This would all
