[Openid-specs-fapi] JARM: Questions about authorization_signed_response_alg

Takahiko Kawasaki taka at authlete.com
Sat Sep 22 03:42:14 UTC 2018


Hello,

I have 2 questions about authorization_signed_response_alg which is defined
in "5. Client Metadata
<https://openid.net/specs/openid-financial-api-jarm.html#client-metadata>"
of "Financial-grade API: JWT Secured Authorization Response Mode for OAuth
2.0 (JARM) <https://openid.net/specs/openid-financial-api-jarm.html>".

[1]

If an authorization request is made with response_type=code and without
response_mode by a client whose authorization_signed_response_alg is not
null (for example if it is RS256), should query.jwt be used as the default
value? What I want to know is whether the value of
authorization_signed_response_alg should affect the default value in the
case of response_mode omission.

[2]

If an authorization request is made for FAPI READ+WRITE APIs and if the
value of authorization_signed_response_alg of the client is neither PS256
or ES256, should the request be rejected as required by "8.6 JWS algorithm
considerations" of "FAPI Part 2
<https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md>"?

Best Regards,
Takahiko Kawasaki
Authlete, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180922/1778a50b/attachment.html>


More information about the Openid-specs-fapi mailing list