[Openid-specs-fapi] Issue #254: Pushed Request Object - The payload of the response (openid/fapi)
issues-reply at bitbucket.org
Mon Jul 22 11:48:59 UTC 2019
New issue 254: Pushed Request Object - The payload of the response
In some REST API practices, when a server returns `201 Created`, the response contains the registered/created resource in its HTTP message body. If this practice is followed, a response from the request object endpoint should contain the payload part of the registered request object or the request object itself. \(Note that I myself don't insist that the request object endpoint should follow this practice.\)
>From a viewpoint of the practice, the HTTP message body in the response from the request object endpoint in the current draft is confusing. It's because `iss` and `aud` are not for the registered request object while `exp` is for the registered request object. That is, claims of different entities are mixed in the HTTP message body.
Probably, `request_uri` and `expires_in` are enough. If we wanted to include `iss`, `aud`, `exp` and other well-known claims in the response from the request object endpoint, the HTTP message body of the response should be the payload part of the registered request object or the request object itself.
More information about the Openid-specs-fapi