Core & Registration errata 2 incompatible with JAR
Issue #1061
resolved
The errata 2 drafts for Core and Dynamic Registration allow http to be used for request_uri (and request_uris in dynamic registration) where before this was https only. This is allowed only under the condition that the loaded Request Object is verifiable by the OP - signed and/or symmetrically encrypted.
Note: I couldn't find the discussion leading to this change.
JAR in its current draft on the other hand allows only https URIs and URNs.
The "request_uri" value MUST be either URN as defined in RFC8141 or "https" URI as defined in 2.7.2 of RFC7230.
- https always
- http if the resulting object is verifiable
- urn if there's a resolver implemented on the OP side
I get and support all three schemes but maybe the specs should align on this.
Comments (5)
-
-
BTW, I wouldn't say that it's incompatible. JAR is a restriction of the Connect request object logic. As such, all JAR deployments would also be legal Connect request object deployments.
-
reporter
This update was made in draft -24 19 months ago as a result of a working group discussion. I may be able to find the discussion before the next call.
Thanks, i'll try to do some digging then.
BTW, I wouldn't say that it's incompatible
Incompatible may be a strong wording yes.
As such, all JAR deployments would also be legal Connect request object deployments.
Not a 100% tho.
https- OIDC Errata 1https, **http**- OIDC Errata 2https, **urn**- JAR draft 17
Feel free to close if you don't think this worth aligning.
-
-
assigned issue to
Michael Jones
-
assigned issue to
-
- changed status to resolved
Closing with no action, per the 31-Jan-19 working group call.
- Log in to comment
This update was made in draft -24 19 months ago as a result of a working group discussion. I may be able to find the discussion before the next call.