PAR certification question - must servers allow requests where scope/response_type only passed to PAR endpoint

Issue #315 resolved
Joseph Heenan created an issue

Should the FAPI-RW 1.0 PAR certification tests insist that this form of request:

authorization_endpoint?request_uri=<…>&client_id=<…>

is accepted and works? (as per JAR https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-5 )

Or asked a different way, it is okay for FAPI compliant requests that use PAR to require that the request takes this form with duplicate parameters outside the request object:

authorization_endpoint?request_uri=<…>&client_id=<…>&scope=<…>&response_type=<…>

Comments (6)

  1. Stuart Low

    @Joseph Heenan Specifically referencing this part?

    The client MAY send the parameters included in the request object duplicated in the query parameters as well for the backward compatibility etc. However, the authorization server supporting this specification MUST only use the parameters included in the request object.

    As I read this, regardless of query parameters the pushed request is authoritative? Regarding the requirement to accept it, from an ACDS perspective I can definitely see use cases for transitional reasons (ie. clients including existing parameters from existing deployments which add request_uri as a post change addition).

  2. Joseph Heenan reporter

    That’s correct.

    So for most of the PAR tests, we send all the parameters duplicates, as the ‘MAY’ allows.

    The question is: should I add a test that doesn’t include the duplicates in the query parameters, as PAR seems to require servers to accept requests without the duplicates.

  3. Takahiko Kawasaki

    A test that doesn’t include the duplicates will be able to check whether the PAR endpoint implementation conforms to JAR. Especially, it is better to confirm that the implementation handles breaking changes below introduced by JAR correctly.

    1. response_type request parameter outside the request object can be omitted, assuming that the request object contains response_type.
    2. Request parameters outside the request object must not be merged. For example, a PAR request with response_type request parameter and a request object which doesn’t include response_type should fail at the PAR endpoint or fail at the authorization endpoint later.

  4. Joseph Heenan reporter

    As well as Taka’s above, I’ve discussed this with 3 other implementors (two of whom pass the test, and another who fails but wants to pass), there seems to be a good consensus that servers must not require the duplicates.

  5. Log in to comment