[Openid-specs-ab] Minimum OAuth 2.0 parameter set required when using a Request Object
Michael.Jones at microsoft.com
Fri Oct 25 23:54:33 UTC 2013
Later in his review, Brian made this observation:
18.104.22.168 says, "The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification." which would suggest that while the parameters of the JWT-Based Request supersede the OAuth style parameters, the request needs to have at least a baseline set of OAuth style parameters to make it a legit OAuth 2.0 request.
I think that supports my conclusion.
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Friday, October 25, 2013 4:22 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Minimum OAuth 2.0 parameter set required when using a Request Object
In his review, Brian asked whether the minimum set of OAuth 2.0-specified Authorization Request parameters must be present in requests using Request Objects (with the "request" or "request_uri" parameters). We currently say that "scope" must be present but we don't say whether "client_id" and "response_type", which are OAuth 2.0 REQUIRED parameters, must be present.
I think they probably need to be, so it's a legal OAuth request. Do others agree?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab