[Openid-specs-ab] Minimum OAuth 2.0 parameter set required when using a Request Object

John Bradley ve7jtb at ve7jtb.com
Sat Oct 26 12:13:19 UTC 2013


Yes in both cases the Connect answer is what OAuth requires.  

If OAuth changes Connect will be able to take advantage of that , as long as we allow for backwards comparability. 

Sent from my iPhone

> On Oct 26, 2013, at 12:33 AM, Nat Sakimura <sakimura at gmail.com> wrote:
> 
> Unless, of course, JWT based request get adopted in OAuth :-) It has been on the table since almost the very beginning of the OAuth WG. 
> 
> =nat via iPhone
> 
>> On Oct 26, 2013, at 12:27, John Bradley <ve7jtb at ve7jtb.com> wrote:
>> 
>> Yes
>> 
>> Sent from my iPhone
>> 
>>> On Oct 25, 2013, at 7:54 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
>>> 
>>> Later in his review, Brian made this observation:
>>>  
>>> 2.1.2.2 says, "The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification." which would suggest that while the parameters of the JWT-Based Request supersede the OAuth style parameters, the request needs to have at least a baseline set of OAuth style parameters to make it a legit OAuth 2.0 request.
>>>  
>>> I think that supports my conclusion.
>>>  
>>>                                                                 -- Mike
>>>  
>>> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
>>> Sent: Friday, October 25, 2013 4:22 PM
>>> To: openid-specs-ab at lists.openid.net
>>> Subject: [Openid-specs-ab] Minimum OAuth 2.0 parameter set required when using a Request Object
>>>  
>>> In his review, Brian asked whether the minimum set of OAuth 2.0-specified Authorization Request parameters must be present in requests using Request Objects (with the “request” or “request_uri” parameters).  We currently say that “scope” must be present but we don’t say whether “client_id” and “response_type”, which are OAuth 2.0 REQUIRED parameters, must be present.
>>>  
>>> I think they probably need to be, so it’s a legal OAuth request.  Do others agree?
>>>  
>>>                                                                 -- Mike
>>>  
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131026/914a106e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2915 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131026/914a106e/attachment.p7s>


More information about the Openid-specs-ab mailing list