[Openid-specs-ab] Minimum OAuth 2.0 parameter set required when using a Request Object

Nat Sakimura sakimura at gmail.com
Sat Oct 26 03:33:00 UTC 2013


Unless, of course, JWT based request get adopted in OAuth :-) It has been
on the table since almost the very beginning of the OAuth WG.

=nat via iPhone

On Oct 26, 2013, at 12:27, John Bradley <ve7jtb at ve7jtb.com> wrote:

Yes

Sent from my iPhone

On Oct 25, 2013, at 7:54 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

  Later in his review, Brian made this observation:



2.1.2.2 says, "The Authorization Server MUST validate all the OAuth 2.0
parameters according to the OAuth 2.0 specification." which would suggest
that while the parameters of the JWT-Based Request supersede the OAuth
style parameters, the request needs to have at least a baseline set of
OAuth style parameters to make it a legit OAuth 2.0 request.



I think that supports my conclusion.



                                                                -- Mike



*From:* openid-specs-ab-bounces at lists.openid.net [
mailto:openid-specs-ab-bounces at lists.openid.net<openid-specs-ab-bounces at lists.openid.net>]
*On Behalf Of *Mike Jones
*Sent:* Friday, October 25, 2013 4:22 PM
*To:* openid-specs-ab at lists.openid.net
*Subject:* [Openid-specs-ab] Minimum OAuth 2.0 parameter set required when
using a Request Object



In his review, Brian asked whether the minimum set of OAuth 2.0-specified
Authorization Request parameters must be present in requests using Request
Objects (with the “request” or “request_uri” parameters).  We currently say
that “scope” must be present but we don’t say whether “client_id” and
“response_type”, which are OAuth 2.0 REQUIRED parameters, must be present.



I think they probably need to be, so it’s a legal OAuth request.  Do others
agree?



                                                                -- Mike



_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131026/8958217b/attachment-0001.html>


More information about the Openid-specs-ab mailing list