[Openid-specs-mobile-profile] Issue #159: spec requires request_expiry be a string in the signed request object (openid/mobile)

josephheenan at bitbucket.org josephheenan at bitbucket.org
Fri Jun 21 06:09:23 UTC 2019


New issue 159: spec requires request_expiry be a string in the signed request object
https://bitbucket.org/openid/mobile/issues/159/spec-requires-request_expiry-be-a-string

Joseph Heenan:

I’m not necessarily suggesting any change here, but do want to draw attention to this in case others missed it \(as myself and a vendor both read the spec wrongly I believe\).

When using a signed request object, the current spec requires that `requested_expiry` is passed as a string:

> A signed authentication request is made by encoding all of the authentication request parameters as claims of a signed JWT, with each parameter name as the claim name and **its value as a JSON string**.

\(from section [https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1\_0-02.html#signed\_auth\_request](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-02.html#signed_auth_request) - emphasis mine\).

It might be worth at least updating the example to include requested\_expiry to highlight this.




More information about the Openid-specs-mobile-profile mailing list