(ed) awkward/incorrect language around request_uri
Issue #319
resolved
Section 5.2 of RW / Part II https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md#markdown-header-522-authorization-server has:
“shall require the request or request_uri parameter to be passed as a JWS signed JWT as in clause 6 of OIDC;”
and
“shall only use the parameters included in the signed request object passed in the request or request_uri parameter;”
both of which, if read literally (and that tends to happen with these documents), suggest that the request_uri value is itself a JWS. Which, of course, it isn’t.
Perhaps something more like:
“shall require the request or request_uri parameter to be or reference a JWS signed JWT”
and
“shall only use the parameters included in the signed request object passed via the request or request_uri parameter;”
Comments (9)
-
-
- changed status to open
General agreement on the editorial change. Need to wordsmith. PR to be created based on it.
-
- changed title to (ed) awkward/incorrect language around request_uri
-
reporter
how about “shall require a JWS signed JWT request object passed by value with the
requestparameter or by reference with therequest_uriparameter” ?I’m just trying to work with the language that was already there but adjust it so it’s not wrong.
The “clause 6 of OIDC” pointer could be included too. Or not. I dunno. I don’t know that it’s a particularly helpful reference. Maybe. But as @josephheenan pointed out to me, it’s probably not totally correct either given the use of PAR in general for request_uri, which is built on JAR rather than the OIDC’s “Passing Request Parameters as JWTs” section.
Trying to keep the scope of the change small so as to just fix some problematic language. But once you start pulling on the thread…
-
reporter
PR #211 addresses this.
-
- changed status to resolved
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
I am ok to changing as the change is only editorial, but there are a few points that I would like to make.
requestorrequest_uriparameter to be or reference a JWS signed JWT” is a bit hard to read.