[Openid-specs-fapi] Support FAPI PAR without JAR(rfc 9101)
Joseph Heenan
joseph at authlete.com
Fri Dec 15 10:17:53 UTC 2023
Hi Rivindu
Is your question whether the server must support an Authorization Endpoint call in the form:
https://as.example.com/authorize?client_id=1234&request_uri=foo
(i.e. without the response_type)
If so then the answer is yes, FAPI conformance servers that support PAR must accept Authorization Endpoint calls with the response_type/etc not present. I think there were a few reasons why we decided that, but at least part of it was the desire not to expose information (like the scope being requested) to the browser in the Authorization Endpoint call.
Cheers,
Joseph
> On 15 Dec 2023, at 18:15, Nat Sakimura via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
>
> This question was sent to the list owner instead of the list. So I am forwarding
>
> ---------- Forwarded message ---------
> From: Rivindu Madushan <rivindu.madushan at gmail.com <mailto:rivindu.madushan at gmail.com>>
> Date: 2023年12月15日(金) 14:37
> Subject: Support FAPI PAR without JAR(rfc 9101)
> To: <openid-specs-fapi-owner at lists.openid.net <mailto:openid-specs-fapi-owner at lists.openid.net>>
>
>
> Hi team,
>
> This is regarding the use of Pushed authorization requests according to the FAPI specification.
>
> According to the specification 5.2.3-8[1], for the authorization request, clients must send all the parameters inside the authorization requests' request object. It doesn't mention about the /par call. As per the PAR specification[2], if the OP supports JAR[3], then all the parameters must be sent inside the request object for the /par call.
>
> My question is can there be an OP, who supports FAPI while not having the support for JAR(RFC 9101). ie. It expects the client to send the duplicates of the response_type, client_id, and scope parameters in the /par call?
>
> Highly appreciate your insight on this.
>
> [1] https://openid.net/specs/openid-financial-api-part-2-1_0.html#confidential-client
> [2] https://datatracker.ietf.org/doc/html/rfc9126#name-the-request-request-paramet
> [3] https://datatracker.ietf.org/doc/html/rfc9101
>
> Thanks & Regards,
> Rivindu
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20231215/287efb92/attachment.html>
More information about the Openid-specs-fapi
mailing list