[Openid-specs-fapi] Issue #269: JARM response contents clarifications (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Sat Sep 14 13:03:30 UTC 2019

New issue 269: JARM response contents clarifications

Joseph Heenan:

I'm trying to prototype some tests for JARM but I'm not 100% clear on the meaning on the spec:

1\) Can servers optional return nbf/iat \(they're not mentioned in JARM spec\) in the response JWT?

1a\) If they can, must those values by valid as per normal JWT rules for nbf/iat?

2\) Can servers return other claims in the response JWT or would that be an error or warning? \(e.g. returning ‘sub', 'c\_hash’ or 'nonce' claims would seem to indicate the server is not really doing the right thing\)

3\) Is 'kid' a MUST in the header? The text seems to imply so with explicit mentions of kid.

4\) Is it an error for a server to return \(say\) state in the normal query parameters \(i.e. returning state both inside and outside the JWT\)?


More information about the Openid-specs-fapi mailing list