- edited description
one-time use of request_uri causing error
From: Dec 13 Call:
It was found in Australia that one-time usage for request_uri in PAR causes errors in some browser-to-app interactions.
A combination of browser and virus checker was consuming the PAR uri by the time the client got the PAR response.
May need some guidance regarding relaxing the strict one-time usage of PAR uri.
Wording from PAR:
Authorization servers SHOULD treat request_uri values as one-time use but MAY allow for duplicate requests due to a user reloading/refreshing their user agent.
https://www.rfc-editor.org/rfc/rfc9126.html#section-4
Relaxing one-time usage may be dangerous but might be practical
May write implementation advice/note that these situations may arise
We are going to reach out to the Stuttgart team to find if it is a show-stopper if we relax it.
Comments (4)
-
reporter -
Dave to add sentence to FAPI2 Security Profile, also email OAuth WG
-
reporter - changed status to open
-
- changed status to resolved
Resolved with https://bitbucket.org/openid/fapi/pull-requests/454
- Log in to comment