[Openid-specs-fapi] JARM: Questions about authorization_signed_response_alg
vladimir at connect2id.com
Sat Sep 22 18:11:15 UTC 2018
On 22/09/18 06:42, Takahiko Kawasaki via Openid-specs-fapi wrote:
> If an authorization request is made with response_type=code and without
> response_mode by a client whose authorization_signed_response_alg is not
> null (for example if it is RS256), should query.jwt be used as the default
> value? What I want to know is whether the value of
> authorization_signed_response_alg should affect the default value in the
> case of response_mode omission.
IMO the AS should return an invalid_request error, to signal the client
(developer) that the submitted request doesn't match the contract
established by the registered metadata for the client.
I see three issues with the AS trying to fill in the missing
response_mode parameter using registered client metadata:
* When we take the authZ request on its own, the default response_mode
is actually determined by the response_type parameter.
* Implementing the logic to detect a mismatch with registered client
metadata appears simpler to me than trying to get the request right.
* If developers start relying on the AS to fill in the response_mode
for them this may lead to interop and security issues down the road.
> If an authorization request is made for FAPI READ+WRITE APIs and if the
> value of authorization_signed_response_alg of the client is neither PS256
> or ES256, should the request be rejected as required by "8.6 JWS algorithm
> considerations" of "FAPI Part 2
Yes, that's how I also read the spec. The JWS alg restriction should
then also apply to client registration.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi