[Openid-specs-fapi] Issue #189: behaviour of AS when client passes different values in request object vs OAuth 2.0 request syntax (openid/fapi)
Joseph Heenan
issues-reply at bitbucket.org
Fri Nov 9 16:34:11 UTC 2018
New issue 189: behaviour of AS when client passes different values in request object vs OAuth 2.0 request syntax
https://bitbucket.org/openid/fapi/issues/189/behaviour-of-as-when-client-passes
Joseph Heenan:
As I read the specs currently ( https://openid.net/specs/openid-connect-core-1_0.html#RequestObject ) , clients can pass different values inside and outside the request object to the authorisation endpoint, and the server must accept them (and use the value inside).
This seems unnecessarily complex to me.
I cannot think of a valid reason for a client to pass values that are different.
I can imagine that in some cases using different values could cause confusion that gives rise to a security hole.
I am tempted to believe we should require the AS to reject the request in this case.
More information about the Openid-specs-fapi
mailing list