[Openid-specs-fapi] Fwd: Support FAPI PAR without JAR(rfc 9101)
Nat Sakimura
nat at sakimura.org
Fri Dec 15 09:15:33 UTC 2023
This question was sent to the list owner instead of the list. So I am
forwarding
---------- Forwarded message ---------
From: Rivindu Madushan <rivindu.madushan at gmail.com>
Date: 2023年12月15日(金) 14:37
Subject: Support FAPI PAR without JAR(rfc 9101)
To: <openid-specs-fapi-owner at lists.openid.net>
Hi team,
This is regarding the use of Pushed authorization requests according to the
FAPI specification.
According to the specification 5.2.3-8[1], for the authorization request,
clients must send all the parameters inside the authorization requests'
request object. It doesn't mention about the /par call. As per the PAR
specification[2], if the OP supports JAR[3], then all the parameters must
be sent inside the request object for the /par call.
My question is can there be an OP, who supports FAPI while not having the
support for JAR(RFC 9101). ie. It expects the client to send the duplicates
of the response_type, client_id, and scope parameters in the /par call?
Highly appreciate your insight on this.
[1]
https://openid.net/specs/openid-financial-api-part-2-1_0.html#confidential-client
[2]
https://datatracker.ietf.org/doc/html/rfc9126#name-the-request-request-paramet
[3] https://datatracker.ietf.org/doc/html/rfc9101
Thanks & Regards,
Rivindu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20231215/a655beec/attachment-0001.html>
More information about the Openid-specs-fapi
mailing list