[Openid-specs-fapi] Issue #576: FAPI2MS: Rejection of non-JAR/non-JARM requests (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Sun Feb 26 10:38:56 UTC 2023
New issue 576: FAPI2MS: Rejection of non-JAR/non-JARM requests
https://bitbucket.org/openid/fapi/issues/576/fapi2ms-rejection-of-non-jar-non-jarm
Joseph Heenan:
The current language [https://bitbucket.org/openid/fapi/src/master/FAPI\_2\_0\_Message\_Signing.md](https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Message_Signing.md) does not require Authorization servers supporting signed authorization requests \(JAR\) to reject unsigned authorization requests.
It’s hard to see how the spec meets the NR3 requirements if it is allowing unsigned requests.
Similarly for signed authorization responses \(JARM\) there’s no requirement on the server to reject requests made without JARM.
More information about the Openid-specs-fapi
mailing list