treatment of authorization request parameters outside PAR
Baseline has "shall reject authorization requests sent without [@I-D.lodderstedt-oauth-par] or authorization request parameters sent outside of the PAR request, except for request_uri
and client_id"
But request parameters outside shouldn't require rejection, rather they just must not be relied upon so should be ignored. The end of https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-5 even talks about why a client might send parameters duplicated outside. Also the I-D.lodderstedt-oauth-par reference should be I-D.ietf-oauth-par.
Comments (6)
-
-
- changed status to resolved
→ <<cset 62909e4c84dc>>
-
Issue
#347was marked as a duplicate of this issue. -
Thanks, I have removed the second part of the sentence.
-
reporter missed this part “Also the I-D.lodderstedt-oauth-par reference should be I-D.ietf-oauth-par.”
-
- changed component to FAPI2: Security Profile
- Log in to comment
I agree with this, and the PAR-supporting versions of FAPI v1 conformance tests explicitly require requests to be accepted both with and without scope/response_type duplicates (as well as having a bunch of tests to try to verify that values outside the request object are ignored).