[Openid-specs-fapi] Issue #635: one-time use of request_uri causing error (openid/fapi)
Nat
issues-reply at bitbucket.org
Wed Dec 20 13:37:40 UTC 2023
New issue 635: one-time use of request_uri causing error
https://bitbucket.org/openid/fapi/issues/635/one-time-use-of-request_uri-causing-error
Nat Sakimura:
From: Dec 13 Call:
It was found in Australia that one-time usage for request\_uri in PAR causes errors in some browser-to-app interactions.
A combination of browser and virus checker was consuming the PAR uri by the time the client got the PAR response.
May need some guidance regarding relaxing the strict one-time usage of PAR uri.
Wording from PAR:
> Authorization servers SHOULD treat request\_uri values as one-time use but MAY allow for duplicate requests due to a user reloading/refreshing their user agent.
[https://www.rfc-editor.org/rfc/rfc9126.html#section-4](https://www.rfc-editor.org/rfc/rfc9126.html#section-4)
Relaxing one-time usage may be dangerous but might be practical
May write implementation advice/note that these situations may arise
Dima is going to open the issue. We are going to reach out to the Stuttgart team to find if it is a show-stopper if we relax it.
More information about the Openid-specs-fapi
mailing list