1. Nat Sakimura Avatar Nat Sakimura
  2. Untitled project
  3. oauth-jwsreq
  4. Issues

Inconsistency on the need to sign the request object

Issue #69 resolved
Dave Tonge created an issue

These two statements below appear to be inconsistent?

 <t>The authorization request object MUST be one of the following: </t>
      <t><list style="format (%c)">
            <t>JWS signed </t>
            <t>JWE encrypted (when symmetric keys are being used)</t>
            <t>JWS signed and JWE encrypted</t>
        </list></t>

 <t>
        Unless the access to the <spanx style="verb">request_uri</spanx>
        over TLS provides adequate authentication of the source of 
        the Request Object, the Request Object MUST be JWS Signed. 
      </t>

Comments (2)

  1. Dave Tonge reporter

    The implication of the 2nd point is that the request object doesn't need to be signed if the AS trusts the client identity from the TLS Cert.

    I suggest either:

    • The spec is made consistent that request objects must confirm to 1 of the 3 options in the top extract.

    or

    • TLS source authentication is included in the first section.
  3. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!