-
assigned issue to
- changed status to open
Messages 2.1.2.1 and Standard 2.3.1.2 - Inconsistent treatment of OAuth parameters in OpenID request message
Issue #575
resolved
As reported by Vladimir Dzhuvinov, http://openid.net/specs/openid-connect-standard-1_0-09.html#req_param_method says
"All [...] parameters MUST also be JSON Serialized into the OpenID Request Object with the same values."
whereas http://openid.net/specs/openid-connect-messages-1_0-09.html#OpenID_Request_Object says
"If the same parameters are present both in the Authorization Request and in the OpenID Request Object, the latter takes precedence."
This is both inconsistent and confusing.
Comments (2)
-
reporter -
reporter - changed status to resolved
Fix
#575Messages 2.1.2.1 and Standard 2.3.1.2 - Inconsistent treatment of OAuth parameters in OpenID request message - Log in to comment
We agreed to change Messages and Standard to state that it is optional to also include OAuth parameters in the OpenID request object, but that if they are in both places, they MUST match.
Optional OAuth parameters MAY be present only in the OpenID Request object. The one exception to this is that that the scope parameter is the one OAuth parameter that MUST be present in the OAuth request (so the "openid" scope is always present in the OAuth request).