[Openid-specs-fapi] Question to clarify regarding FAPI-JARM
Anju Chamantha
chamantha97anju at gmail.com
Tue Jan 16 04:55:57 UTC 2024
Hi,
In the OIDC FAPI conformance suite JARM profile, there are a couple of
tests [1] where it sends the *response_mode* only inside the *request*
object, and some params that should be inside the request like *exp*, *nbf*,
*scope,* etc. are not sent. Those tests expect the authorization server to
throw an error since the *request* object parameters are missing. This
error response is expected as a JARM response (jwt format).
Question:
Since with those missing *request* object parameters, the whole request
object should be invalid and the existing parameters inside the request
object also should not be trusted. Therefore since *response_mode*
parameter is also inside this invalid request object is it ok to trust its
value and switch the response mode according to that?
*[1] Referring test cases:*
fapi1-advanced-final-ensure-request-object-without-exp-fails,
fapi1-advanced-final-ensure-request-object-without-nbf-fails,
fapi1-advanced-final-ensure-request-object-without-scope-fails
etc.
Thank you.
--
Regards,
*Anju Chamantha*
Software Engineer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20240116/52d3eaa5/attachment.html>
More information about the Openid-specs-fapi
mailing list