[Openid-specs-fapi] Issue #574: FAPI 2 Basline - Interop Question Clarification over the use of PAR (openid/fapi)

[Ralph Bragg]

New issue 574: FAPI 2 Basline - Interop Question Clarification over the use of PAR
https://bitbucket.org/openid/fapi/issues/574/fapi-2-basline-interop-question

Ralph Bragg:

The FAPI 2.0 Baseline specification obliges all parties to use PAR however i could not find any reference the behaviour that should be expected by authorisation servers where one particular request parameter was not included in the PAR request but was included as part of the redirect.

One well known Open Source vendor used by a provider in a new Australian Ecosystem is ignoring the ‘prompt’ parameter that was not sent as part of the PAR request where as all other vendors will happily enforce PAR but then process requests parameters sent as part of the redirect that were not included in the PAR request.

A reading of FAPI 2 baseline implies that everyone uses PAR \(and only PAR\) but it doesn’t go as far to explicitly mandate that elements conveyed outside of the PAR request should be ignored. Appreciate language to this effect might be challenging as client\_id for example must always be sent outside of the PAR request but baring this exclusion is there any reason why we wouldn’t ban additional request parameters? 

To improve interoperability it would be great if we could land on an expected consistent behaviour for this case.

Also - apologies if i have missed where this behaviour has been defined and standardised.