[Openid-specs-fapi] Issue #243: FAPI-CIBA: Is request_context a claim or a request parameter? (openid/fapi)
issues-reply at bitbucket.org
Tue Jul 2 07:40:36 UTC 2019
New issue 243: FAPI-CIBA: Is request_context a claim or a request parameter?
It's ambiguous whether `request_context` is a claim in a signed authentication request \(CIBA Core 7.1.1\) or a request parameter \(CIBA Core 7.1\).
The following are excerpts from the FAPI-CIBA profile that mention `request_context`.
**FAPI-CIBA profile, 5.2.2 Authorization Server**
> _10. may require clients to provide a_ `request_context` _claim as defined in section 5.3 of this profile; and_
**FAPI-CIBA profile, 5.3 Extensions to CIBA authentication request**
> _This profile defines the following extensions to the authentication request defined in CIBA section 7.1._
> _1._ `request_context`_: OPTIONAL. a JSON object \(the contents of which are not defined by this specification\) containing information to inform fraud and threat decisions. For example, an ecosystem may require relying parties to provide geolocation for the consumption device._
"CIBA section 7.1" referred to in the first paragraph of FAPI-CIBA 5.3 lists **request parameters, not claims**. If "CIBA section **7.1.1**" were referred to instead of "CIBA section **7.1**", there would be no ambiguity and readers would think that `request_context` is a claim in a signed authentication request.
If `request_context` is a request parameter like `client_notification_token`, it should be written explicitly.
More information about the Openid-specs-fapi