Request for clarification on fapi1-advanced-final-par-pushed-authorization-url-as-audience-in-request-object test case

Comments (6)

1. 

   Joseph Heenan

   Hi Vimukthi

   ‌

   Can you clarify which of your observations are about request objects and which are about private_key_jwt client assertions please? The text you quote relates to private_key_jwt client assertions, whereas the test you mention is for request objects.

   ‌

   Thanks

   ‌

   Joseph

   ‌

   • 2023-08-04T08:18:44+00:00
2. 

   Vimukthi Rajapaksha reporter

   Hi Joseph,

   Thank you for your prompt response. We would like clarification on the aud value in the request object. The test case points to Section 2.1 of the RFC 9126 specification[1]. However, we could not find any reference in that section that explicitly prohibits the use of the PAR endpoint as the request object aud value. Could you kindly point out which references you have used to reach this conclusion?

   [1] https://www.rfc-editor.org/rfc/rfc9126.html#section-2.1

   Thank you,
   Vimukthi

   • 2023-08-04T09:14:42+00:00
3. 

   Joseph Heenan

   Ah, I see - the test references the incorrect spec here, we’ll fix that.

   The test is correct.

   It should reference:

   https://www.rfc-editor.org/rfc/rfc9101.html#section-4

   The value of aud should be the value of the authorization server (AS) issuer, as defined in RFC 8414 [RFC8414].

   ‌

   • 2023-08-04T09:21:35+00:00
4. 

   Joseph Heenan

   ‌

   Actually the better spec reference is https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#authorization-server

   shall require the aud claim in the request object to be, or to be an array containing, the OP's Issuer Identifier URL;

   ‌

   • 2023-08-04T09:48:50+00:00
5. 

   Brian Campbell

   • changed status to open

   • 2023-08-04T12:48:52+00:00
6. 

   Dave Tonge

   • changed status to resolved

   Incorrect url ref fixed

   • 2023-08-09T14:41:16+00:00
7. Log in to comment