- changed title to PAR certification question - must servers allow requests where scope/response_type only passed to PAR endpoint
PAR certification question - must servers allow requests where scope/response_type only passed to PAR endpoint
Should the FAPI-RW 1.0 PAR certification tests insist that this form of request:
authorization_endpoint?request_uri=<…>&client_id=<…>
is accepted and works? (as per JAR https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-5 )
Or asked a different way, it is okay for FAPI compliant requests that use PAR to require that the request takes this form with duplicate parameters outside the request object:
authorization_endpoint?request_uri=<…>&client_id=<…>&scope=<…>&response_type=<…>
Comments (9)
-
reporter -
@Joseph Heenan Specifically referencing this part?
The client MAY send the parameters included in the request object duplicated in the query parameters as well for the backward compatibility etc. However, the authorization server supporting this specification MUST only use the parameters included in the request object.
As I read this, regardless of query parameters the pushed request is authoritative? Regarding the requirement to accept it, from an ACDS perspective I can definitely see use cases for transitional reasons (ie. clients including existing parameters from existing deployments which add
request_uri
as a post change addition). -
reporter That’s correct.
So for most of the PAR tests, we send all the parameters duplicates, as the ‘MAY’ allows.
The question is: should I add a test that doesn’t include the duplicates in the query parameters, as PAR seems to require servers to accept requests without the duplicates.
-
A test that doesn’t include the duplicates will be able to check whether the PAR endpoint implementation conforms to JAR. Especially, it is better to confirm that the implementation handles breaking changes below introduced by JAR correctly.
response_type
request parameter outside the request object can be omitted, assuming that the request object containsresponse_type
.- Request parameters outside the request object must not be merged. For example, a PAR request with
response_type
request parameter and a request object which doesn’t includeresponse_type
should fail at the PAR endpoint or fail at the authorization endpoint later.
-
reporter As well as Taka’s above, I’ve discussed this with 3 other implementors (two of whom pass the test, and another who fails but wants to pass), there seems to be a good consensus that servers must not require the duplicates.
-
- changed status to resolved
People happy with the test.
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment