Should we define a discovery metadata for request object endpoint
Part 2 mentions the request object endpoint in section 7, however it's unclear how clients discover a server's request object endpoint, or whether or not the server has one.
Should (can?) FAPI define a new entry in the provider meta data to hold the url for this endpoint, like the others in https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
The current language in the spec seems a little unclear to me too - is a FAPI part 2 compliant AS required to provide a request object endpoint?
Comments (7)
-
-
We discussed adding it to the FAPI spec for now. We can later adjust the FAPI spec to reference OAuth JAR.
I'll do a pull request using the key:
request_object_endpoint
-
-
reporter - changed status to resolved
closing, https://bitbucket.org/openid/fapi/pull-requests/48/add-openid-discovery-metadata-for-request/diff addresses this and has been merged in.
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
This is a good point. I just realised that could have been addressed in the OAuth JWS request spec:
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-15
The OAuth WG decided to adopt the request object concept from OIDC and make it a general OAuth spec.
Unfortunately, the draft seem to have reached the IESG. I don't know what can be done at that point.