[Openid-specs-ab] Validating request
Roland Hedberg
roland.hedberg at adm.umu.se
Thu Sep 8 13:51:32 UTC 2011
In OpenID Connect Standard 1.0 - draft 04 section 4.1.2
It says:
"The Authorization Server validates the request to ensure all required parameters are present and valid."
Now if I take the example in 4.1.1.2 I find that when I compare the parameters in the payload with what appears in the Authorization Request URL below that the scope is different:
scope:"openid profile" in the payload
scope:"openid" in the URL
I would say that this makes it an invalid request and assume that someone has tampered with the URL after it was signed (= the request value constructed).
Hence, the text describing what a validation should involve is understated and should be expanded to at least contain a comparison between the parameters that appear both in the URL and in the JWT.
-- Roland
More information about the Openid-specs-ab
mailing list