[Openid-specs-risc] openid/sharedsignals: New Issue opened
github at oidf.org
github at oidf.org
Tue Nov 4 18:50:57 UTC 2025
openid/sharedsignals event
Issue opened
Issue Title: Handling push delivery requests with Authorization header if stream config defines no push authorization header
https://github.com/openid/sharedsignals/issues/301
[6.1.1. Push Delivery using HTTP](https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html#section-6.1.1) says that > authorization_header > > If the endpoint_url requires authorization, the receiver SHOULD provide this authorization header in the stream creation/updation. If present, the Transmitter MUST provide this value with every HTTP request to the endpoint_url. > How to deal with the case that a stream explicitly does not define an push authorization header but the transmitter sends an `Authorization` header anyways? If we receive an authorization header for push endpoint requests, without specifying one, this might indicate a configuration issue on either the transmitter or receiver side. Should a receiver ignore the authroization header and accept the request, or should the receiver reject the request? In the latest version of the conformance suite, we have a new test (openid-ssf-transmitter-push-no-auth) which explicitly uses NO push authorization header and fails the test if the transmitter sends a request with an authorization header.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20251104/a25e89d7/attachment.htm>
More information about the Openid-specs-risc
mailing list