[Openid-specs-ab] Dynamic client registration: Stating intent that request objects are mandatory

Nat Sakimura sakimura at gmail.com
Tue Aug 9 04:24:57 UTC 2016

Hi. Sorry I missed your message completely.

This actually did not come up in the WG previously. The argument you make
makes sense if there are only one level of risk for all the request that
the client makes, but in the case where there are multiple risk levels such
as "read" and "write" access, it will require a finer grain control than
per client settings. So, there should be some additional mechanism to
signal whether the request is supposed to be request object only or not. It
can depend on the nature of the resource and the operation upon it, so can
equally be set the AS policy as well.  We need to dig a bit deeper into
this. Perhaps we can continue discussing on this thread.


On Sun, Jul 24, 2016 at 7:28 PM Vladimir Dzhuvinov <vladimir at connect2id.com>

> The point of signed / signed+encrypted request objects is to provide
> additional security, and my understanding is that clients registered
> with "request_object_signing_alg" and / or "request_uris" must not be
> allowed by the OP to make plain OpenID authentication requests. Am I
> correct on this? (even though it's not stated in the OIDC specs)
> Cheers,
> Vladimir
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura

Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160809/2c81d60d/attachment.html>

More information about the Openid-specs-ab mailing list