"shall additionally send duplicates of the parameters/values using the OAuth 2.0 request syntax where required by the OAuth specification" is vague
FAPI part 2 id 2 says:
shall additionally send duplicates of the parameters/values using the OAuth 2.0 request syntax where required by the OAuth specification
This is a bit vague (which I apologise for as I think I wrote it...) and I've found that in practice people are interpreting it in different ways.
e.g. oauth2 says the redirect_uri is optional, but then explanatory text in the oauth2 standard means it's not really optional.
I suggest we just explicitly enumerate the parameters that need to be duplicated outside the request object.
I think they're probably:
- response_type (required by https://tools.ietf.org/html/rfc6749#section-4.1.1 )
- client_id (required by https://tools.ietf.org/html/rfc6749#section-4.1.1 )
- redirect_uri (required by rfc6749 but only if multiple redirect urls registered; always required by OIDCC)
- scope (optional in oauth2 but required in OIDCC); I think strictly the ID2 text doesn't require scope to be sent outside the request object but I have seen people interpret it this way).
Comments (6)
-
reporter -
redirect_uri
should not be one of the ones that requires duplication. -
- changed status to closed
Merged in josephheenan/fapi/clarify-dup-parameters (pull request #97)
FAPI-RW: Clarify the clause about duplicate request parameters
The current clause was being interpretted in different ways by different implementations; to help interoperability, we now spell out exactly what is meant.
closes
#217Approved-by: Brian Campbell bcampbell@pingidentity.com Approved-by: Dave Tonge dave.tonge@bluespeckfinancial.co.uk
→ <<cset 74754ca7cde8>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
https://openid.net/specs/openid-connect-core-1_0.html#RequestObject says: