[Openid-specs-ab] Issue #1061: Core & Registration errata 2 incompatible with JAR (openid/connect)
issues-reply at bitbucket.org
Thu Jan 10 08:43:26 UTC 2019
New issue 1061: Core & Registration errata 2 incompatible with JAR
The errata 2 drafts for Core and Dynamic Registration allow `http` to be used for `request_uri` (and `request_uris` in dynamic registration) where before this was `https` only. This is allowed only under the condition that the loaded Request Object is verifiable by the OP - signed and/or symmetrically encrypted.
Note: I couldn't find the discussion leading to this change.
JAR in its current [draft](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17) on the other hand allows only https URIs and URNs.
> The "request_uri" value MUST be either URN as defined in RFC8141 or "https" URI as defined in 2.7.2 of RFC7230.
- https always
- http if the resulting object is verifiable
- urn if there's a resolver implemented on the OP side
I get and support all three schemes but maybe the specs should align on this.
More information about the Openid-specs-ab