[Openid-specs-mobile-profile] Issue #117: CIBA: other request parameters when "request" is present (openid/mobile)

Takahiko Kawasaki issues-reply at bitbucket.org
Thu Nov 8 08:22:18 UTC 2018

New issue 117: CIBA: other request parameters when "request" is present

Takahiko Kawasaki:

When a backchannel authentication request contains the `request` request parameter, should it be allowed or not for other request parameters to be included?

The authorization endpoint of OIDC allows (has to allow) other request parameters to coexist with the `request` request parameter (or the `request_uri` request parameter) so that the behavior of the endpoint can comply with RFC 6749 at the same time.

However, because the backchannel authentication endpoint is a new endpoint, it is possible to decide to state "other request parameters should not be present when the `request` request parameter is present".

On the other hand, if other request parameters are allowed, it will be better to add some notes to secure consistency between bare request parameters and the request object. For example, in OIDC Core 1.0 says in _"6.1. Passing a Request Object by Value"_ as follows:

> So that the request is a valid OAuth 2.0 Authorization Request, values for the `response_type` and `client_id` parameters MUST be included using the OAuth 2.0 request syntax, since they are REQUIRED by OAuth 2.0. The values for these parameters MUST match those in the Request Object, if present.

More information about the Openid-specs-mobile-profile mailing list