Inconsistency in requirement to use HTTPS for request_uri
Issue #67
resolved
There seems to be an inconsistency between 5.2 and 5.2.1
5.2: The scheme used in the "request_uri" value MUST be "https", unless the target Request Object is signed in a way that is verifiable by the Authorization Server.
5.2.1 The Client stores the Request Object resource either locally or remotely at a URL the Authorization Server can access. The URL MUST be HTTPS URL. This URL is the Request Object URI, "request_uri".
I think they should be consistent. Either the unless should be repeated in 5.2.1 or it should be removed from 5.2
Comments (3)
-
reporter
-
repo owner
- changed status to resolved
fixed
#67Inconsistency in requirement to use HTTPS for request_uri→ <<cset f9ad05cecca6>>
-
repo owner
Further fix
→ <<cset 33bb40f>>
- Log in to comment
https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/3/make-the-requirement-to-use-https/diff