[Openid-specs-fapi] JARM: Questions about authorization_signed_response_alg
taka at authlete.com
Sat Sep 22 03:42:14 UTC 2018
I have 2 questions about authorization_signed_response_alg which is defined
in "5. Client Metadata
of "Financial-grade API: JWT Secured Authorization Response Mode for OAuth
2.0 (JARM) <https://openid.net/specs/openid-financial-api-jarm.html>".
If an authorization request is made with response_type=code and without
response_mode by a client whose authorization_signed_response_alg is not
null (for example if it is RS256), should query.jwt be used as the default
value? What I want to know is whether the value of
authorization_signed_response_alg should affect the default value in the
case of response_mode omission.
If an authorization request is made for FAPI READ+WRITE APIs and if the
value of authorization_signed_response_alg of the client is neither PS256
or ES256, should the request be rejected as required by "8.6 JWS algorithm
considerations" of "FAPI Part 2
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi