Request for clarification on fapi1-advanced-final-par-pushed-authorization-url-as-audience-in-request-object test case
Hi Team,
The “fapi1-advanced-final-par-pushed-authorization-url-as-audience-in-request-object” test case[1] in “fapi1-advanced-final-test-plan[2]” version 5.1.5 sends the PAR endpoint URL as the audience in the request object. The authorization server is expected to reject the request with an invalid_request_object error message. However, according to the RFC 9126#section-2[3] specification, the authorization server MUST accept its issuer identifier, token endpoint URL, or pushed authorization request endpoint URL as valid aud values. This seems to be a conflict between the test case and the specification. we would appreciate it if we could clarify this.
[1] https://www.certification.openid.net/log-detail.html?log=chprTHoTdUuAXa2&public=true
[2] https://www.certification.openid.net/plan-detail.html?plan=0IEBEA1sPWoOp&public=true
[3] https://www.rfc-editor.org/rfc/rfc9126.html#section-2
Thank you,
Vimukthi
Comments (6)
-
-
reporter Hi Joseph,
Thank you for your prompt response. We would like clarification on the aud value in the request object. The test case points to Section 2.1 of the RFC 9126 specification[1]. However, we could not find any reference in that section that explicitly prohibits the use of the PAR endpoint as the request object aud value. Could you kindly point out which references you have used to reach this conclusion?
[1] https://www.rfc-editor.org/rfc/rfc9126.html#section-2.1
Thank you,
Vimukthi -
Ah, I see - the test references the incorrect spec here, we’ll fix that.
The test is correct.
It should reference:
https://www.rfc-editor.org/rfc/rfc9101.html#section-4
The value of
aud
should be the value of the authorization server (AS)issuer
, as defined in RFC 8414 [RFC8414].
-
Actually the better spec reference is https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#authorization-server
shall require the aud claim in the request object to be, or to be an array containing, the OP's Issuer Identifier URL;
-
- changed status to open
-
- changed status to resolved
Incorrect url ref fixed
- Log in to comment
Hi Vimukthi
Can you clarify which of your observations are about request objects and which are about private_key_jwt client assertions please? The text you quote relates to private_key_jwt client assertions, whereas the test you mention is for request objects.
Thanks
Joseph