[Openid-specs-fapi] Issue #269: JARM response contents clarifications (openid/fapi)
issues-reply at bitbucket.org
Sat Sep 14 13:03:30 UTC 2019
New issue 269: JARM response contents clarifications
I'm trying to prototype some tests for JARM but I'm not 100% clear on the meaning on the spec:
1\) Can servers optional return nbf/iat \(they're not mentioned in JARM spec\) in the response JWT?
1a\) If they can, must those values by valid as per normal JWT rules for nbf/iat?
2\) Can servers return other claims in the response JWT or would that be an error or warning? \(e.g. returning ‘sub', 'c\_hash’ or 'nonce' claims would seem to indicate the server is not really doing the right thing\)
3\) Is 'kid' a MUST in the header? The text seems to imply so with explicit mentions of kid.
4\) Is it an error for a server to return \(say\) state in the normal query parameters \(i.e. returning state both inside and outside the JWT\)?
More information about the Openid-specs-fapi