POST to authorization endpoint
Issue #2115
open
As per previous meetings discussions (see minutes on https://lists.openid.net/pipermail/openid-specs-ab/2024-January/thread.html and my response).
There was some further discussion here:
https://gitlab.com/openid/conformance-suite/-/issues/1293
However we need further discussion in the WG to reach consensus on what, if any, certifications tests should be added, or if spec updates should be made.
Comments (8)
-
-
Maybe a controversial take but is it an option to not add any certifications tests and not make any spec updates?
-
i would prefer not to add this to the certification tests. Apparently lots of implementations don’t use it - i think it was Joseph that said FAPI did not.
I believe that OIDC requires an incremental update this year because we expect RSA to be deprecated.
SO --- let’s change this to add a new milestone 1.1 and add this to that milestone.
-
isn’t this a dup of 1293? we certainly don’t need both
-
reporter
isn’t this a dup of 1293? we certainly don’t need both
1293 is a request to change the conformance suite in the conformance suite bug tracker. People were posting there suggesting changes to the specification, and changes to the specification need to be discussed in the Connect WG - this issue (2115) is in the Connect WG tracker and is the correct place to gather working group consensus on what action (if any) might be taken.
Probably 1293 can be closed for now as I think there isn’t a consensus in the working group as to what changes might be made to the conformance suite.
-
- changed status to open
OpenID Connect is not ambiguous in this regard. As Aaron Parecki cited, Section 3.1.2.1 says:
Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 7231 [RFC7231] at the Authorization Endpoint.
Furthermore, some implementations do support this.
I believe that we should therefore add the missing certification test. I think the main question before us is whether it should be in its own profiles or whether it should be added to the OP Basic and RP Basic profiles. And whether failing it should result in a warning or an error.
-
- changed component to Core
-
We discussed this again on the 26-Feb-24 working group call. The unanimous conclusion was that the best thing to do is to add a new test for this to the applicable certification profiles but to have failing the test result in a warning, rather than an error.
- Log in to comment
In openid federation the method POST is suggested when a trust_chain is provided in the authz request
https://openid.net/specs/openid-federation-1_0.html#section-11.1.1.1.1-3