[Openid-specs-ab] Issue #1061: Core & Registration errata 2 incompatible with JAR (openid/connect)

Filip Skokan issues-reply at bitbucket.org
Thu Jan 10 08:43:26 UTC 2019

New issue 1061: Core & Registration errata 2 incompatible with JAR

Filip Skokan:

The errata 2 drafts for Core and Dynamic Registration allow `http` to be used for `request_uri` (and `request_uris` in dynamic registration) where before this was `https` only. This is allowed only under the condition that the loaded Request Object is verifiable by the OP - signed and/or symmetrically encrypted.

Note: I couldn't find the discussion leading to this change.

JAR in its current [draft](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17) on the other hand allows only https URIs and URNs.

> The "request_uri" value MUST be either URN as defined in RFC8141 or "https" URI as defined in 2.7.2 of RFC7230.

- https always
- http if the resulting object is verifiable
- urn if there's a resolver implemented on the OP side

I get and support all three schemes but maybe the specs should align on this.

More information about the Openid-specs-ab mailing list