[Openid-specs-fapi] Issue #340: treatment of authorization request parameters outside PAR (openid/fapi)
Brian Campbell
issues-reply at bitbucket.org
Wed Nov 18 21:27:22 UTC 2020
New issue 340: treatment of authorization request parameters outside PAR
https://bitbucket.org/openid/fapi/issues/340/treatment-of-authorization-request
Brian Campbell:
Baseline has "shall reject authorization requests sent without \[@I-D.lodderstedt-oauth-par\] or authorization request parameters sent outside of the PAR request, except for `request_uri` and `client_id"`
But request parameters outside shouldn't require rejection, rather they just must not be relied upon so should be ignored. The end of [https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-5](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-5) even talks about why a client might send parameters duplicated outside. Also the I-D.lodderstedt-oauth-par reference should be I-D.ietf-oauth-par.
More information about the Openid-specs-fapi
mailing list