Are duplicates of the response_type, and scope values necessary when using PAR?

Comments (15)

1. 

   Joseph Heenan reporter

   Actually the latest PAR and https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-26 make clear that client_id is required both inside and outside.

   So the question is only about response_type and scope.

   • 2020-08-06T16:38:43+00:00
2. 

   Dave Tonge

   I would agree - although maybe for FAPI 2? I think we left this in for interoperability reasons.

   • 2020-08-12T14:15:42+00:00
3. 

   Joseph Heenan reporter

   I think mostly we were clarifying the existing requirement in OIDC which in turn did it to be technically compliant with OAuth2. (And I think some vendor implementations could not process OpenID Connect requests if those parameters were missing.)

   It’d be nice for clients not to have to send scope via the browser if it’s not necessary (though probably the privacy considerations in doing so are minimal in most cases), and it’s potentially incompatible with RAR to require a scope.

   I think the expectation would be that people deploying PAR are doing so using vendor support for it (as opposed to attempting to retrofit PAR onto existing authorization server by, say, implementing on a different server in custom code that tries to verify client authentication perhaps by accessing private client management APIs in the AS).

   If that expectation is also correct, then I think it’s reasonable to expect the Authorization Servers to be fully compatible with JAR/PAR, so it would be unnecessary for the client to send the duplicates in that case. i.e. when PAR is in use, I don’t think the backwards compatibility arguments apply so much, as PAR is a brand new standard vendors are only now adding support for.

   ‌

   I’d prefer to weaken the clause, at least when PAR is in use.

   • 2020-08-12T15:19:57+00:00
4. 

   Dave Tonge

   That makes sense to me.

   I don’t think we should make it conditional though - we can just require client id, in the same way as jwsreq does?

   I suppose there could be a problem if an AS who previously gained conformance with FAPI, rejected requests that didn’t have the duplicate params? How would we deal with that?

   • 2020-08-12T15:24:11+00:00
5. 

   Joseph Heenan reporter

   Changing it for the non-PAR case is definitely problematic and likely a breaking change; I’m pretty certain several vendor products that UK banks have managed to get signed request objects working with do require the duplicate parameters, or rather without the duplicate parameters the Authorization Endpoint just won’t get past some of their core processing.

   Changing it just for PAR isn’t really a breaking change as the previous implementers draft didn’t include PAR, and because the PAR spec doesn’t require the duplicates to be sent. Or put another way, one way of viewing it is that when we added PAR to FAPI we accidentally ended up with the statement about duplicates applying to PAR.

   ‌

   • 2020-08-12T23:02:41+00:00
6. 

   Dave Tonge

   Yep - I see.

   So how about this:

   shall additionally send duplicates of the response_type, client_id, and scope parameters/values using the OAuth 2.0 request syntax as required by the OAuth and OpenID Connect specifications, unless using [PAR] in which case only the client_id shall be duplicated.

   ‌

   We should probably check if any other clauses need adjusting

   • 2020-08-13T08:08:09+00:00
7. 

   Joseph Heenan reporter

   Thanks Dave - your suggested wording sounds good.

   ‌

   I had a scan through and no other clauses leapt out a problematic.

   ‌

   The only thing that does occur to me is that we could make a transition to FAPI 2 easier by suggesting that when using PAR clients should send PKCE, regardless of whether the server supports it or not. Or we could just mandate PKCE when using PAR, it wouldn’t be a breaking change due to the previous draft not mentioning PAR. (If you remember I believe we almost made PKCE mandatory in FAPI-RW, due to many clients not checking s_hash and hence not actually getting the protection s_hash provides - the major reason we didn’t do so was that we didn’t want to impose a breaking change on the UK ecosystem.)

   • 2020-08-13T10:05:08+00:00
8. 

   Joseph Heenan reporter

   • changed title to Are duplicates of the response_type, and scope values necessary when using PAR?
   • edited description

   • 2020-08-19T14:55:25+00:00
9. 

   Joseph Heenan reporter

   I’ve created a new issue to cover the PKCE discussion: https://bitbucket.org/openid/fapi/issues/307/fapi-rw-require-pkce-when-using-par

   • 2020-08-20T11:29:50+00:00
10. 

    Nat Sakimura

    • changed status to open

    Are we done with the discussion?

    • 2020-09-09T12:53:54+00:00
11. 

    Joseph Heenan reporter

    yes, I think we agreed this - I raised https://bitbucket.org/openid/fapi/pull-requests/188/clarify-that-duplicate-parameters/diff to updated the spec, which I think is ready to be merged.

    • 2020-09-09T13:16:05+00:00
12. 

    Dave Tonge

    • changed status to closed

    Merged in par-duplicates (pull request #188)

    Clarify that duplicate parameters requirement doesn't apply to PAR

    • Clarify that duplicate parameters requirement doesn't apply to PAR

    As per discussion here:

    https://bitbucket.org/openid/fapi/issues/304/are-duplicates-of-the-response_type

    with fixed c&p error & clarified language as per comments from Brian Campbell

    closes #304

    Approved-by: Dima Postnikov Approved-by: Dave Tonge Approved-by: Nat Sakimura

    → <<cset 0b6071d0d932>>

    • 2020-09-09T14:58:12+00:00
13. 

    Nat Sakimura

    • changed component to Part 2: Advanced

    • 2022-12-14T15:36:11+00:00
14. 

    Nat Sakimura

    • changed component to FAPI 1 – Part 2: Advanced

    • 2022-12-14T15:36:45+00:00
15. 

    Nat Sakimura

    • changed component to FAPI 1: Advanced

    • 2022-12-14T15:38:55+00:00
16. Log in to comment