Standard - 2.3.1.3 Request file requiring all request param to be included is false
Issue #541
resolved
Currently, it goes:
{{{ All Authorization Request parameters that are part of the Authorization Request excluding the request parameter MUST also be JSON Serialized into the OpenID Request Object with the same values. This allows the Client to send signed and/or encrypted requests to the Authorization Server and maintain conformance to OAuth 2.0. The OpenID Request Object MAY be signed and encrypted via JWS [JWS] and JWE [JWE] respectively, thereby providing authentication, integrity, non-repudiation and/or confidentiality. }}}
Not all param needs to be in OpenID Request Object, but the above paragraph is requiring it to be.
Notably, nonce and state parameters are not necessarily in this file, if we want cache-ability. We fixed this problem for Messages, but seems to have forgotten to do the same with Standard. Messages says:
Wording proposal: {{{ All Authorization Request parameters that are part of the Authorization Request excluding 'request', 'nonce', and 'state' MUST also be JSON Serialized into the OpenID Request Object with the same values. This allows the Client to send signed and/or encrypted requests to the Authorization Server and maintain conformance to OAuth 2.0. The OpenID Request Object MAY be signed and encrypted via JWS [JWS] and JWE [JWE] respectively, thereby providing authentication, integrity, non-repudiation and/or confidentiality. }}}
Comments (4)
-
-
-
assigned issue to
Nat Sakimura
- changed status to open
-
assigned issue to
-
reporter
Actually, we do not need to repeat the same sentences. We should just refrence OpenID Request Object. I will make the change accordingly.
-
reporter
- changed status to resolved
Fix
#541. Standard - 2.3.1.3 Request file requiring all request param to be included is false. - Log in to comment
In ticket
#378https://bitbucket.org/openid/connect/issue/378/messages-2312-parameters-in-request-objectSec 2.3.1.2 Was corrected to allow nonce, state, client_id, and redirect_uri to not be in the request object. for the request object method.
We decided not to make the same change to the request file method at the time.
I am not opposed to making the same change to the request file method. Though the resin to use that is to keep the redirect small.
We do have a problem with Messages Sec 2.1.2.1 not matching Standard 2.3.1.2 I will file aa separate ticket on that.
John