FAPI2MS: Rejection of non-JAR/non-JARM requests
The current language https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Message_Signing.md does not require Authorization servers supporting signed authorization requests (JAR) to reject unsigned authorization requests.
It’s hard to see how the spec meets the NR3 requirements if it is allowing unsigned requests.
Similarly for signed authorization responses (JARM) there’s no requirement on the server to reject requests made without JARM.
Comments (7)
-
reporter -
- changed milestone to 2nd Implementers Draft
We discussed fixing this on the next implementers draft
-
if a client is set up for non-repudiation / message signing, then the server shall reject unsigned requests
we also discussed registering some client metadata for
response_modes
-
-
assigned issue to
-
assigned issue to
-
-
- changed status to closed
Merged in fix-576 (pull request #416)
fapi2ms: require use of jarm, require use of jar, define response modes client metadata
- fapi2ms: require use of jarm, require use of jar, define response modes client metadata
closes
#576Approved-by: Daniel Fett Approved-by: Dave Tonge Approved-by: Joseph Heenan Approved-by: Lukasz Jaromin Approved-by: Nat Sakimura
→ <<cset a08b2fc8cf41>>
-
Merged in fix-576 (pull request #416)
fapi2ms: require use of jarm, require use of jar, define response modes client metadata
- fapi2ms: require use of jarm, require use of jar, define response modes client metadata
closes
#576Approved-by: Daniel Fett Approved-by: Dave Tonge Approved-by: Joseph Heenan Approved-by: Lukasz Jaromin Approved-by: Nat Sakimura
→ <<cset 40ab312a7dd5>>
- Log in to comment
The wording for this clause on clients could probably also be improved:
to something more like:
“shall send all authorization parameters to the PAR endpoint [@!RFC9126] in a JAR [@!RFC9101] signed requested object”