<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Yes in both cases the Connect answer is what OAuth requires. </div><div><br></div><div>If OAuth changes Connect will be able to take advantage of that , as long as we allow for backwards comparability. <br><br>Sent from my iPhone</div><div><br>On Oct 26, 2013, at 12:33 AM, Nat Sakimura <<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>Unless, of course, JWT based request get adopted in OAuth :-) It has been on the table since almost the very beginning of the OAuth WG. <br>
<br>=nat via iPhone</div><div><br>On Oct 26, 2013, at 12:27, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>> wrote:<br><br></div><div><span></span></div><blockquote type="cite"><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>
Yes<br><br>Sent from my iPhone</div><div><br>On Oct 25, 2013, at 7:54 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1f497d">Later in his review, Brian made this observation:</span></p>
<p class="MsoNormal"><span style="color:#1f497d"> </span></p>
<p class="MsoNormal" style="margin-left:.5in">2.1.2.2 says, "The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification." which would suggest that while the parameters of the JWT-Based Request supersede the
OAuth style parameters, the request needs to have at least a baseline set of OAuth style parameters to make it a legit OAuth 2.0 request.<span style="color:#1f497d"></span></p>
<p class="MsoNormal"><span style="color:#1f497d"> </span></p>
<p class="MsoNormal"><span style="color:#1f497d">I think that supports my conclusion.</span></p>
<p class="MsoNormal"><span style="color:#1f497d"> </span></p>
<p class="MsoNormal"><span style="color:#1f497d"> -- Mike</span></p>
<p class="MsoNormal"><span style="color:#1f497d"> </span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a> [<a href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Mike Jones<br>
<b>Sent:</b> Friday, October 25, 2013 4:22 PM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> [Openid-specs-ab] Minimum OAuth 2.0 parameter set required when using a Request Object</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">In his review, Brian asked whether the minimum set of OAuth 2.0-specified Authorization Request parameters must be present in requests using Request Objects (with the “request” or “request_uri” parameters). We currently say that “scope”
must be present but we don’t say whether “client_id” and “response_type”, which are OAuth 2.0 REQUIRED parameters, must be present.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I think they probably need to be, so it’s a legal OAuth request. Do others agree?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> -- Mike</p>
<p class="MsoNormal"> </p>
</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br>
<span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br>
<span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br>
</div></blockquote>
</div></blockquote></body></html>