fix: [Federation] trust_chain parameter in authz request without PAR and JAR

Comments (7)

1. 

   Giuseppe De Marco reporter

   • edited description

   • 2022-10-29T21:15:43+00:00
2. 

   Giuseppe De Marco reporter

   Here the PR that closes this issue
   https://bitbucket.org/openid/connect/pull-requests/350/fix-federation-trust_chain-http-method-in

   • 2022-10-29T21:23:51+00:00
3. 

   Giuseppe De Marco reporter

   • changed component to Federation

   • 2022-10-29T21:58:02+00:00
4. 

   Takahiko Kawasaki

   JAR provides (1) integrity protection and (2) non-repudiation. They are completely irrelevant to the size of HTTP message. Rather, using JAR increases data size.

   PAR provides (1) reduction of data that goes through the front channel (web browser) and (2) client authentication before authorization request. (1) is related to the size of HTTP message. A blog post describing a part of the history of the PAR spec development apparently indicates that one of the purposes of PAR is to reduce size of data that goes through the front channel.

   So, it is strange to mention JAR in the context of “the large size of a Trust Chain”, but PAR still remains valid as a solution. You may mention HTTP POST but don’t have to remove PAR.

   • 2022-10-30T03:08:58+00:00
5. 

   Giuseppe De Marco reporter

   Thank you for details, your suggestion is important, I take it

   • 2022-10-30T07:58:50+00:00
6. 

   Giuseppe De Marco reporter

   Done here
   https://bitbucket.org/peppelinux/connect-2/commits/d755d8beea4daa3509e0eca75a125885250cefeb

   feel free to put your suggestions over the text in the PR, thank you

   • 2022-11-01T22:54:24+00:00
7. 

   Giuseppe De Marco reporter

   • changed status to resolved

   Closed by https://bitbucket.org/openid/connect/pull-requests/350

   • 2022-11-11T16:19:17+00:00
8. Log in to comment