[Openid-specs-fapi] Issue #319: awkward/incorrect language around request_uri (openid/fapi)

Brian Campbell issues-reply at bitbucket.org
Tue Sep 29 22:05:34 UTC 2020


New issue 319: awkward/incorrect language around request_uri
https://bitbucket.org/openid/fapi/issues/319/awkward-incorrect-language-around

Brian Campbell:

Section 5.2 of RW / Part II [https://bitbucket.org/openid/fapi/src/master/Financial\_API\_WD\_002.md#markdown-header-522-authorization-server](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md#markdown-header-522-authorization-server) has:

‌

“shall require the `request` or `request_uri` parameter to be passed as a JWS signed JWT as in clause 6 of [OIDC](http://openid.net/specs/openid-connect-core-1_0.html);”

and 

“shall only use the parameters included in the signed request object passed in the `request` or `request_uri` parameter;”

‌

both of which, if read literally \(and that tends to happen with these documents\), suggest that the request\_uri value is itself a JWS. Which, of course, it isn’t. 

Perhaps something more like:

“shall require the `request` or `request_uri` parameter to be or reference a JWS signed JWT”

and 

“shall only use the parameters included in the signed request object passed via the `request` or `request_uri` parameter;”

‌

‌

‌




More information about the Openid-specs-fapi mailing list