[Openid-specs-ab] Issue #1686: op_state in pre-authz (openid/connect)
Oliver Terbu
issues-reply at bitbucket.org
Wed Oct 19 10:47:23 UTC 2022
New issue 1686: op_state in pre-authz
https://bitbucket.org/openid/connect/issues/1686/op_state-in-pre-authz
Oliver Terbu:
The OpenID for CI spec currently says:
> If the client receives a value for this parameter, it MUST include it in the subsequent Authentication Request to the Credential Issuer as the `op_state` parameter value. MUST NOT be used in Authorization Code flow when `pre-authorized_code` is present
I’m surprised why `op_state`MUST not be used with pre-authz flow. Why do we need this normative text? In OpenID and OAuth2, normally unknown parameters are ignored. This could also apply to `op_state` in case of an pre-authz flow.
Can we remove the following sentence?
> MUST NOT be used in Authorization Code flow when `pre-authorized_code` is present
Otherwise we should probably also define that this results in error.
More information about the Openid-specs-ab
mailing list