FAPI2MS: Rejection of non-JAR/non-JARM requests

Issue #576 closed
Joseph Heenan created an issue

The current language https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Message_Signing.md does not require Authorization servers supporting signed authorization requests (JAR) to reject unsigned authorization requests.

It’s hard to see how the spec meets the NR3 requirements if it is allowing unsigned requests.

Similarly for signed authorization responses (JARM) there’s no requirement on the server to reject requests made without JARM.

Comments (7)

  1. Joseph Heenan reporter

    The wording for this clause on clients could probably also be improved:

    shall sign request objects according to JAR [@!RFC9101] that are sent to the PAR endpoint [@!RFC9126]

    to something more like:

    “shall send all authorization parameters to the PAR endpoint [@!RFC9126] in a JAR [@!RFC9101] signed requested object”

  2. Dave Tonge

    if a client is set up for non-repudiation / message signing, then the server shall reject unsigned requests

    we also discussed registering some client metadata for response_modes

  3. Dave Tonge

    Merged in fix-576 (pull request #416)

    fapi2ms: require use of jarm, require use of jar, define response modes client metadata

    • fapi2ms: require use of jarm, require use of jar, define response modes client metadata

    closes #576

    Approved-by: Daniel Fett Approved-by: Dave Tonge Approved-by: Joseph Heenan Approved-by: Lukasz Jaromin Approved-by: Nat Sakimura

    → <<cset a08b2fc8cf41>>

  4. Dave Tonge

    Merged in fix-576 (pull request #416)

    fapi2ms: require use of jarm, require use of jar, define response modes client metadata

    • fapi2ms: require use of jarm, require use of jar, define response modes client metadata

    closes #576

    Approved-by: Daniel Fett Approved-by: Dave Tonge Approved-by: Joseph Heenan Approved-by: Lukasz Jaromin Approved-by: Nat Sakimura

    → <<cset 40ab312a7dd5>>

  5. Log in to comment