[Openid-specs-fapi] Question to clarify regarding FAPI-JARM

Joseph Heenan joseph at authlete.com
Tue Jan 16 06:23:41 UTC 2024 

Hi Anju

I think there are different cases you are asking about.

In the case that the request object is obviously entirely invalid (e.g. signature validation fails) the conformance suite accepts a non-JARM response (and a JARM one is also allowed, as is showing an error to the user).

A request object without a scope does not seem to meet the ‘entirely invalid’ criteria; it’s a valid JWT but contains an invalid request.

I’m not entirely sure which case the ‘without-exp’ or ‘without-nbf' case would fall into. It seems potentially valid to accept a non-JARM response there. We could check if you raise an issue with all the details: https://gitlab.com/openid/conformance-suite/-/issues/new

Note that, given you’re redirecting back to the client (rather than displaying an error to the user), the AS is presumably deciding to trust the redirect_uri, so a discussion about whether to trust the response_mode or not seems a bit irrelevant.

Thanks

Joseph


> On 16 Jan 2024, at 13:55, Anju Chamantha via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
> 
> Hi,
> In the OIDC FAPI conformance suite JARM profile, there are a couple of tests [1] where it sends the response_mode only inside the request object, and some params that should be inside the request like exp, nbf, scope, etc. are not sent. Those tests expect the authorization server to throw an error since the request object parameters are missing. This error response is expected as a JARM response (jwt format).
> 
> Question:
> Since with those missing request object parameters, the whole request object should be invalid and the existing parameters inside the request object also should not be trusted. Therefore since response_mode parameter is also inside this invalid request object is it ok to trust its value and switch the response mode according to that?
> 
> 
> [1] Referring test cases:
> fapi1-advanced-final-ensure-request-object-without-exp-fails,
> fapi1-advanced-final-ensure-request-object-without-nbf-fails,
> fapi1-advanced-final-ensure-request-object-without-scope-fails
> etc.
> 
> Thank you.
> --
> Regards,
> 
> Anju Chamantha
> Software Engineer.
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20240116/333228bd/attachment.html>

More information about the Openid-specs-fapi mailing list