[Openid-specs-fapi] Issue #620: Request for clarification on fapi1-advanced-final-par-pushed-authorization-url-as-audience-in-request-object test case (openid/fapi)
Vimukthi Rajapaksha
issues-reply at bitbucket.org
Fri Aug 4 07:02:20 UTC 2023
New issue 620: Request for clarification on fapi1-advanced-final-par-pushed-authorization-url-as-audience-in-request-object test case
https://bitbucket.org/openid/fapi/issues/620/request-for-clarification-on-fapi1
Vimukthi Rajapaksha:
Hi Team,
The _“fapi1-advanced-final-par-pushed-authorization-url-as-audience-in-request-object”_ test case\[1\] in _“fapi1-advanced-final-test-plan\[2\]”_ version 5.1.5 sends the PAR endpoint URL as the audience in the request object. The authorization server is expected to reject the request with an _invalid\_request\_object_ error message. However, according to the RFC 9126#section-2\[3\] specification, the authorization server MUST accept its issuer identifier, token endpoint URL, or **pushed authorization request endpoint URL as valid aud values**. This seems to be a conflict between the test case and the specification. we would appreciate it if we could clarify this.
\[1\] [https://www.certification.openid.net/log-detail.html?log=chprTHoTdUuAXa2&public=true](https://www.certification.openid.net/log-detail.html?log=chprTHoTdUuAXa2&public=true)
\[2\] [https://www.certification.openid.net/plan-detail.html?plan=0IEBEA1sPWoOp&public=true](https://www.certification.openid.net/plan-detail.html?plan=0IEBEA1sPWoOp&public=true)
\[3\] [https://www.rfc-editor.org/rfc/rfc9126.html#section-2](https://www.rfc-editor.org/rfc/rfc9126.html#section-2)
Thank you,
Vimukthi
More information about the Openid-specs-fapi
mailing list