[Openid-specs-fapi] Issue #684: typ in request objects (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Tue Mar 19 22:19:31 UTC 2024
New issue 684: typ in request objects
https://bitbucket.org/openid/fapi/issues/684/typ-in-request-objects
Joseph Heenan:
I think JAR \(as well as PAR/FAPI1/FAPI2\) don’t say anything very explicit about the typ header in request objects.
In the conformance suite I believe the situation is:
* All OP tests: We do not send a typ value in request objects
* All RP tests: We do not do any validation on typ in received request objects
This came up as an interoperability question in Brazil, and it does look like we should probably be doing more validation.
One suggestion would be:
* All OP tests: Try sending each of typ: `JWT`, typ: `oauth-authz-req+jwt` and no typ header in request objects
* All RP tests: We validate typ is either absent, JWT or `oauth-authz-req+jwt`
Feedback from the WG is welcome. If we did do this we might need normative text making it clear that OPs have to accept all 3 values.
More information about the Openid-specs-fapi
mailing list