(ed) awkward/incorrect language around request_uri
Section 5.2 of RW / Part II https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md#markdown-header-522-authorization-server has:
“shall require the request
or request_uri
parameter to be passed as a JWS signed JWT as in clause 6 of OIDC;”
and
“shall only use the parameters included in the signed request object passed in the request
or request_uri
parameter;”
both of which, if read literally (and that tends to happen with these documents), suggest that the request_uri value is itself a JWS. Which, of course, it isn’t.
Perhaps something more like:
“shall require the request
or request_uri
parameter to be or reference a JWS signed JWT”
and
“shall only use the parameters included in the signed request object passed via the request
or request_uri
parameter;”
Comments (9)
-
-
- changed status to open
General agreement on the editorial change. Need to wordsmith. PR to be created based on it.
-
- changed title to (ed) awkward/incorrect language around request_uri
-
reporter how about “shall require a JWS signed JWT request object passed by value with the
request
parameter or by reference with therequest_uri
parameter” ?I’m just trying to work with the language that was already there but adjust it so it’s not wrong.
The “clause 6 of OIDC” pointer could be included too. Or not. I dunno. I don’t know that it’s a particularly helpful reference. Maybe. But as @josephheenan pointed out to me, it’s probably not totally correct either given the use of PAR in general for request_uri, which is built on JAR rather than the OIDC’s “Passing Request Parameters as JWTs” section.
Trying to keep the scope of the change small so as to just fix some problematic language. But once you start pulling on the thread…
-
reporter PR #211 addresses this.
-
- changed status to resolved
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
I am ok to changing as the change is only editorial, but there are a few points that I would like to make.
request
orrequest_uri
parameter to be or reference a JWS signed JWT” is a bit hard to read.