[Openid-specs-fapi] Issue #340: treatment of authorization request parameters outside PAR (openid/fapi)

Brian Campbell issues-reply at bitbucket.org
Wed Nov 18 21:27:22 UTC 2020


New issue 340: treatment of authorization request parameters outside PAR
https://bitbucket.org/openid/fapi/issues/340/treatment-of-authorization-request

Brian Campbell:

Baseline has "shall reject authorization requests sent without \[@I-D.lodderstedt-oauth-par\] or authorization request parameters sent outside of the PAR request, except for `request_uri` and `client_id"`

But request parameters outside shouldn't require rejection, rather they just must not be relied upon so should be ignored.  The end of [https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-5](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-5) even talks about why a client might send parameters duplicated outside. Also the I-D.lodderstedt-oauth-par reference should be I-D.ietf-oauth-par.




More information about the Openid-specs-fapi mailing list