reject vs ignore on plain (or outside PAR) authorization request parameters
Issue #347
duplicate
- shall reject authorization requests sent without [@I-D.lodderstedt-oauth-par] or authorization request parameters sent outside of the PAR request, except for
request_uri
andclient_id
Is ignoring parameters outside of PAR as defined by JAR/PAR not sufficient? This is introducing yet another splinter of already so fractured specification family.
Comments (6)
-
-
Wouldn’t be
require_pushed_authorization_requests
set to true define the desired behavior? -
Yes, we can omit the whole second part of the clause.
-
- changed status to resolved
→ <<cset 62909e4c84dc>>
-
- changed status to duplicate
Duplicate of
#340. -
- changed component to FAPI2: Security Profile
- Log in to comment
+1 and see also https://bitbucket.org/openid/fapi/issues/340/treatment-of-authorization-request