reject vs ignore on plain (or outside PAR) authorization request parameters
Issue #347
duplicate
- shall reject authorization requests sent without [@I-D.lodderstedt-oauth-par] or authorization request parameters sent outside of the PAR request, except for
request_uriandclient_id
Is ignoring parameters outside of PAR as defined by JAR/PAR not sufficient? This is introducing yet another splinter of already so fractured specification family.
Comments (6)
-
-
Wouldn’t be
require_pushed_authorization_requestsset to true define the desired behavior? -
Yes, we can omit the whole second part of the clause.
-
- changed status to resolved
→ <<cset 62909e4c84dc>>
-
- changed status to duplicate
Duplicate of
#340. -
- changed component to FAPI2: Security Profile
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- duplicate
- Component
- FAPI2: Security Profile
- Milestone
- –
- Votes
- 0
- Watchers
- 1
+1 and see also https://bitbucket.org/openid/fapi/issues/340/treatment-of-authorization-request