[Openid-specs-fapi] Issue #189: behaviour of AS when client passes different values in request object vs OAuth 2.0 request syntax (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Fri Nov 9 16:34:11 UTC 2018


New issue 189: behaviour of AS when client passes different values in request object vs OAuth 2.0 request syntax
https://bitbucket.org/openid/fapi/issues/189/behaviour-of-as-when-client-passes

Joseph Heenan:

As I read the specs currently ( https://openid.net/specs/openid-connect-core-1_0.html#RequestObject ) , clients can pass different values inside and outside the request object to the authorisation endpoint, and the server must accept them (and use the value inside).

This seems unnecessarily complex to me.

I cannot think of a valid reason for a client to pass values that are different.

I can imagine that in some cases using different values could cause confusion that gives rise to a security hole.

I am tempted to believe we should require the AS to reject the request in this case.




More information about the Openid-specs-fapi mailing list