- edited description
fix: [Federation] trust_chain parameter in authz request without PAR and JAR
In the explanatory text of the parameter trust_chain, in the authorization request, we say that
Due to the large size of a Trust Chain it could be necessary to use a JWT-Secured Authorization Request (JAR) [RFC9101] or Pushed Authorization Request [RFC9126].
JAR and PAR ar not necessary because OIDC Core 1.0 allows the HTTP method POST in the Authorization Request
https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Comments (7)
-
reporter -
reporter Here the PR that closes this issue
https://bitbucket.org/openid/connect/pull-requests/350/fix-federation-trust_chain-http-method-in -
reporter - changed component to Federation
-
JAR provides (1) integrity protection and (2) non-repudiation. They are completely irrelevant to the size of HTTP message. Rather, using JAR increases data size.
PAR provides (1) reduction of data that goes through the front channel (web browser) and (2) client authentication before authorization request. (1) is related to the size of HTTP message. A blog post describing a part of the history of the PAR spec development apparently indicates that one of the purposes of PAR is to reduce size of data that goes through the front channel.
So, it is strange to mention JAR in the context of “the large size of a Trust Chain”, but PAR still remains valid as a solution. You may mention HTTP POST but don’t have to remove PAR.
-
reporter Thank you for details, your suggestion is important, I take it
-
reporter Done here
https://bitbucket.org/peppelinux/connect-2/commits/d755d8beea4daa3509e0eca75a125885250cefebfeel free to put your suggestions over the text in the PR, thank you
-
reporter - changed status to resolved
- Log in to comment